GAO 


United  States  Government  Accountability  Office _ 

Report  to  the  Committee  on  Foreign 
Affairs,  House  of  Representatives 


DIPLOMATIC 

SECURITY 

State  Department 
Should  Better  Manage 
Risks  to  Residences 
and  Other  Soft 
Targets  Overseas 


GAO-15-700 


Gm 

Highlights 

Highlights  of  GAO-15-700,  a  report  to  the 
Committee  on  Foreign  Affairs,  House  of 
Representatives 


Why  GAO  Did  This  Study 

Since  the  1998  East  Africa  bombings, 
U.S.  diplomatic  personnel  working 
overseas  have  faced  increasing  threats 
to  their  safety  and  security.  State  has 
built  many  new  embassies  and 
consulates  since  1998  and  enhanced 
security  measures  at  others.  Increased 
security  at  such  facilities  has  raised 
concerns  that  residences,  schools,  and 
other  places  where  U.S.  diplomatic 
personnel  and  their  families  congregate 
may  be  viewed  by  terrorists  as  more 
attractive  “soft  targets.”  GAO  was 
asked  to  review  the  security  of 
residences  and  other  soft  targets 
overseas.  GAO  evaluated  (1)  how 
State  assesses  risks  to  U.S.  diplomatic 
residences  overseas;  (2)  the 
timeliness,  clarity,  and  consistency  of 
residential  security  standards;  (3)  how 
State  addresses  security  vulnerabilities 
at  residences;  and  (4)  how  State 
manages  risks  to  other  soft  targets. 
GAO  reviewed  agency  documents;  met 
with  officials  in  Washington,  D.C.;  and 
conducted  fieldwork  at  a  judgmental 
sample  of  seven  higher-threat,  higher- 
risk  posts  in  four  of  State’s  six 
geographic  regions.  This  is  the  public 
version  of  a  sensitive  but  unclassified 
report  issued  in  June  2015. 

What  GAO  Recommends 

GAO  recommends  that  State,  among 
other  things,  institute  procedures  to 
ensure  residential  security  surveys  are 
completed  as  required,  clarify  its 
standards  and  security-related 
guidance  for  residences,  develop 
procedures  to  ensure  residences  either 
meet  standards  or  have  exceptions  on 
file,  and  take  steps  to  ensure  posts  are 
aware  of  existing  guidance  and  tools 
regarding  the  security  of  schools  and 
other  soft  targets.  State  concurred  with 
all  of  GAO’s  recommendations. 

View  GAO-15-700.  For  more  information, 
contact  Michael  J.  Courts  at  (202)  512-8980  or 
courtsm@gao.gov. 


July  2015 


DIPLOMATIC  SECURITY 

State  Department  Should  Better  Manage  Risks  to 
Residences  and  Other  Soft  Targets  Overseas 


What  GAO  Found 

The  Department  of  State  (State)  conducts  a  range  of  activities  to  assess  risks  to 
residences  overseas.  For  instance,  State  tracks  information  on  overseas 
residences  in  its  property  database,  establishes  threat  levels  at  overseas  posts, 
develops  security  standards  for  different  types  of  residences  and  threat  levels, 
and  requires  posts  to  periodically  conduct  residential  security  surveys.  However, 
17  of  the  68  surveys  for  residences  GAO  reviewed  were  untimely  or  missing. 
Without  up-to-date  security  surveys  of  all  its  overseas  residences,  State’s  ability 
to  identify  and  address  vulnerabilities  or  make  informed  decisions  about  where  to 
allocate  resources  for  security  upgrades  is  limited. 


Examples  of  U.S.  Principal  Officer  Residence  and  Multifamily  Staff  Residences  Overseas 


Sources:  Department  of  State  (left  and  center  photos);  GAO  (right  photo).  |  GAO-15-700 

State  has  taken  steps  to  update  its  residential  security  standards;  however,  these 
updates  have  not  been  timely,  and  the  standards  are  difficult  to  use.  According  to 
State  officials,  updating  residential  security  standards  should  take  about  75  days, 
but  all  three  updates  since  2005  took  more  than  3  years  each.  State  is  making 
efforts  to  improve  the  timeliness  of  such  updates  in  response  to  a  prior  GAO 
recommendation.  In  addition,  while  federal  internal  control  standards  state  that 
policy  standards  should  be  clear  and  consistent  to  support  good  decision  making, 
State’s  standards  and  other  security-related  guidance  for  residences  have  gaps 
and  inconsistencies,  complicating  posts’  efforts  to  determine  and  apply  the 
appropriate  security  measures  and  potentially  leaving  some  residences  at  risk. 

State  addresses  security  vulnerabilities  at  residences  by  installing  various 
upgrades  intended  to  help  residences  meet  security  standards,  but  38  of  the  68 
residences  GAO  reviewed  did  not  meet  all  applicable  standards.  For  example,  8 
residences  did  not  meet  the  standards  for  perimeter  barriers.  When  residences 
do  not  and  cannot  meet  all  applicable  security  standards,  posts  are  required  to 
request  exceptions,  which  identify  steps  the  posts  will  take  to  mitigate 
vulnerabilities.  However,  State  had  an  exception  on  file  for  only  1  of  the  38 
residences  that  did  not  meet  all  applicable  standards.  As  a  result,  State  lacks  key 
information  that  could  provide  it  with  a  clearer  picture  of  security  vulnerabilities  at 
residences  and  enable  it  to  make  better  risk  management  decisions. 

State  manages  risks  to  schools  and  other  soft  targets  overseas  in  several  ways, 
but  its  efforts  may  be  constrained  by  limited  awareness  of  relevant  guidance  and 
tools.  In  fiscal  years  2010  through  2015,  State  awarded  almost  400  grants  in  total 
for  security  upgrades  at  schools  and  other  soft  targets.  While  federal  internal 
control  standards  call  for  timely  communication  of  relevant  information  to  staff 
responsible  for  program  objectives,  officials  at  most  of  the  posts  GAO  visited 
were  unaware  of  some  guidance  and  tools  for  securing  schools  and  other  soft 
targets.  As  a  result,  State  may  not  be  fully  leveraging  existing  programs  and 
resources  for  addressing  security  needs  at  these  facilities. 

_ United  States  Government  Accountability  Office 


Contents 

Letter 

1 

Background 

3 

State  Conducts  a  Range  of  Activities  to  Assess  Risks  to 

Residences  Overseas,  but  Weaknesses  Exist  in  Security 

Surveys  at  Posts 

7 

State’s  Updates  of  Security  Standards  for  Residences  Have  Not 
Been  Timely,  and  the  Standards  Are  Difficult  to  Use 

13 

State  Uses  Upgrades  to  Address  Residential  Security 

Vulnerabilities,  but  More  Than  Half  of  Residences  We 

Reviewed  Did  Not  Meet  All  Standards  and  Lacked  Exceptions 

20 

State  Has  Taken  Steps  to  Manage  Risks  to  Schools  and  Other 

Soft  Targets,  but  Its  Efforts  May  Be  Constrained  by  Limited 
Awareness  of  Relevant  Guidance  and  Tools 

27 

Conclusions 

31 

Recommendations  for  Executive  Action 

31 

Agency  Comments 

32 

Appendix  1 

Objectives,  Scope,  and  Methodology 

33 

Appendix  II 

Comments  from  the  Department  of  State 

38 

Appendix  III 

GAO  Contact  and  Staff  Acknowledgments 

42 

Tables 

Table  1:  Selected  Foreign  Affairs  Manual  (FAM)  and  Foreign 

Affairs  Handbooks  (FAH)  Policies  Relevant  to  Security  of 
Residences  and  Other  Soft  Targets  Overseas 

6 

Table  2:  DS  and  OBO  Allocations  for  Residential  Security 

Upgrades,  Fiscal  Years  2010-2015 

21 

Table  3:  Allocations  for  Security  Upgrades  from  Soft  Target 
Program,  Fiscal  Years  2010-2015 

28 

Figures 


Figure  1 :  Six  Key  Categories  of  Physical  Security  Standards  at  a 

Notional  Diplomatic  Residence  10 


Page  i 


GAO-15-700  Diplomatic  Security 


Figure  2:  Time  Frames  for  Updates  to  Overseas  Security  Policy 
Board  Residential  Security  Standards  since  2005 


14 


Abbreviations 

ARB 

Accountability  Review  Board 

DS 

Bureau  of  Diplomatic  Security 

DS/C 

DS  Directorate  for  Countermeasures 

DS/IP 

DS  Directorate  for  International  Programs 

FAH 

Foreign  Affairs  Handbooks 

FAM 

Foreign  Affairs  Manual 

OBO 

Bureau  of  Overseas  Buildings  Operations 

OSPB 

Overseas  Security  Policy  Board 

RSO 

Regional  Security  Officer 

State 

Department  of  State 

This  is  a  work  of  the  U.S.  government  and  is  not  subject  to  copyright  protection  in  the 

United  States. 

The  published  product  may  be  reproduced  and  distributed  in  its  entirety 

without  further  permission  from  GAO.  However,  because  this  work  may  contain 

copyrighted  images  or  other  material,  permission  from  the  copyright  holder  may  be 

necessary  if  you  wish  to  reproduce  this  material  separately. 

Page  ii 


GAO-15-700  Diplomatic  Security 


GAO 

441  G  St.  N.W. 
Washington,  DC  20548 


U.S.  GOVERNMENT  ACCOUNTABILITY  OFFICE 


July  9,  2015 

The  Honorable  Edward  R.  Royce 
Chairman 

The  Honorable  Eliot  L.  Engel 
Ranking  Member 
Committee  on  Foreign  Affairs 
House  of  Representatives 

Following  the  August  1998  bombings  of  two  U.S.  embassies  in  East 
Africa,  the  Department  of  State  (State)  embarked  on  a  multiyear, 
multibillion  dollar  effort  to  replace  and  secure  vulnerable  diplomatic 
facilities  overseas.  State  has  constructed  more  than  100  new  diplomatic 
facilities  since  1998  and  has  enhanced  security  measures  at  many 
others.1  Increased  security  at  these  highly  symbolic  targets  has  raised 
concerns  that  residences,  schools,  and  other  places  where  U.S. 
diplomatic  personnel  and  their  families  congregate  may  be  viewed  as 
more  attractive  “soft  targets.”  According  to  State  reporting,  there  were 
approximately  30  attacks  against  U.S.  diplomatic  residences  and  other 
soft  targets  overseas  from  August  1998  to  December  2014.  Recent 
events  have  heightened  awareness  of  the  threats  these  kinds  of  facilities 
face.  For  example,  a  2014  posting  on  a  jihadist  website  called  for  attacks 
on  American  and  other  international  schools  in  the  Middle  East. 
Furthermore,  terrorists  have  conducted  attacks  on  Turkish  diplomatic 
residences  in  Somalia  and  numerous  schools  in  Nigeria,  Pakistan,  and 
Kenya. 

You  asked  us  to  review  the  security  of  U.S.  diplomatic  residences  and 
other  soft  targets  overseas,  particularly  in  high-threat  areas.2  For  this 
report,  we  evaluated  (1)  how  State  assesses  risks  to  U.S.  diplomatic 


previously  reported  on  State  efforts  to  secure  diplomatic  work  facilities  overseas.  See 
GAO,  Diplomatic  Security:  Overseas  Facilities  May  Face  Greater  Risks  Due  to  Gaps  in 
Security-Related  Activities,  Standards,  and  Policies,  GAO-14-655  (Washington,  D.C.: 

June  25,  2014). 

2For  the  purposes  of  this  report,  we  use  “other  soft  targets  overseas”  to  refer  primarily  to 
schools  attended  by  U.S.  government  dependents.  We  also  discuss  U.S.  employee 
association  facilities  located  off  embassy  or  consulate  compounds  and,  to  a  lesser  extent, 
facilities  such  as  hotels  and  hospitals. 


Page  1 


GAO-15-700  Diplomatic  Security 


residences  overseas;  (2)  the  timeliness,  clarity,  and  consistency  of  State’s 
security  standards  for  these  residences;  (3)  how  State  addresses  security 
vulnerabilities  at  residences;  and  (4)  how  State  manages  risks  to  other 
soft  targets  overseas. 

To  address  these  objectives,  we  reviewed  U.S.  laws;  relevant  State 
security  policies  and  procedures  as  found  in  cables,  the  Foreign  Affairs 
Manual  (FAM),3  and  the  Foreign  Affairs  Handbooks  (FAH)4 — in  particular, 
the  Residential  Security  Handbook  and  Overseas  Security  Policy  Board 
(OSPB)  standards;  Bureau  of  Diplomatic  Security  (DS)  threat  and  risk 
ratings,  periodic  assessments  of  post  security  programs,  and  residential 
security  exceptions;  post-specific  documents  pertaining  to  security  of 
residences  and  other  soft  targets;  Bureau  of  Overseas  Buildings 
Operations  (OBO)  data  on  overseas  residences  and  grants  for  security 
upgrades  at  schools  attended  by  children  of  U.S.  government  personnel 
and  off-compound  employee  association  facilities;  classified 
Accountability  Review  Board  (ARB)  reports  containing  recommendations 
related  to  residences;  and  past  GAO,  State  Office  of  Inspector  General, 
and  Congressional  Research  Service  reports.  We  also  interviewed 
officials  in  Washington,  D.C.,  from  DS;  OBO;  State’s  Office  of 
Management  Policy,  Rightsizing,  and  Innovation;  and  the  U.S.  Agency  for 
International  Development. 

We  reviewed  and  compared  relevant  residential  security  standards  and 
other  security-related  guidance  within  the  FAM  and  FAH  to  evaluate  their 
clarity  and  consistency.  We  also  evaluated  the  timeliness  of  updates  to 
residential  security  standards.  We  traveled  to  7  overseas  diplomatic  posts 
and  also  conducted  work  focused  on  3  other  posts.  Our  judgmental 
sample  of  10  posts  included  nine  countries  in  four  of  State’s  six 
geographic  regions — Africa,  the  Near  East,  South  and  Central  Asia,  and 
the  Western  Hemisphere.  In  addition  to  ensuring  geographic  coverage, 
we  selected  posts  that  had  relatively  high  threat  and  risk  ratings  as 
established  by  DS.  At  the  7  posts  we  visited,  we  evaluated  a  judgmental 
selection  of  68  residences  against  applicable  security  standards.  To  do 
so,  we  created  checklists  of  all  the  OSPB  residential  security  standards 
and  then  reviewed  each  residence  against  the  standards  applicable  to  it. 
We  also  reviewed  security  measures  in  place  at  10  schools  attended  by 


department  of  State,  Foreign  Affairs  Manual,  FAM. 
department  of  State,  Foreign  Affairs  Handbooks,  FAH. 


Page  2 


GAO-15-700  Diplomatic  Security 


U.S.  government  dependents  and  3  off-compound  employee  association 
facilities  and  met  with  State’s  regional  security  officers  (RSO)  and  other 
officials  involved  in  efforts  to  secure  residences  and  other  soft  targets. 
Our  findings  from  our  sample  of  10  posts  are  not  generalizable  to  all 
posts.  (For  security  reasons,  we  are  not  naming  the  10  posts  in  our 
judgmental  sample.)  We  assessed  DS’s  risk  management  practices 
against  its  own  policies  and  standards  (see  Background  for  additional 
detail  on  these  documents),  best  practices  for  results-oriented 
management  we  identified  in  a  previous  report,* * * 5  and  federal  internal 
control  standards.6  See  appendix  I  for  a  complete  description  of  our 
scope  and  methodology. 

We  conducted  this  performance  audit  from  July  2014  to  June  2015  in 
accordance  with  generally  accepted  government  auditing  standards. 
Those  standards  require  that  we  plan  and  perform  the  audit  to  obtain 
sufficient,  appropriate  evidence  to  provide  a  reasonable  basis  for  our 
findings  and  conclusions  based  on  our  audit  objectives.  We  believe  that 
the  evidence  obtained  provides  a  reasonable  basis  for  our  findings  and 
conclusions  based  on  our  audit  objectives. 

This  report  is  a  public  version  of  a  sensitive  but  unclassified  report  that 
was  issued  on  June  18,  2015,  copies  of  which  are  available  upon  request 
for  official  use  only  by  those  with  the  appropriate  need-to-know.  This 
report  does  not  contain  certain  information  that  State  regarded  as 
sensitive  but  unclassified  and  requested  that  we  remove.  We  provided 
State  a  draft  copy  of  this  report  for  sensitivity  review,  and  State  agreed 
that  we  had  appropriately  removed  all  sensitive  but  unclassified 
information. 


Background 


According  to  State,  more  than  25,000  U.S.  government  personnel  are 

assigned  to  275  U.S.  diplomatic  posts  overseas.7  These  officials 

represent  a  number  of  agencies  besides  State,  such  as  the  Departments 


5GAO,  Executive  Guide:  Effectively  Implementing  the  Government  Performance  and 
Results  Act,  GAO/GGD-96-1 18  (Washington,  D.C.:  June  1996). 

6GAO,  Standards  for  Internal  Control  in  the  Federal  Government,  GAO/AIMD-OO-21.3.1 
(Washington,  D.C.:  November  1999). 

7This  figure  does  not  include  locally  employed  staff  who  work  at  U.S.  embassies  and 
consulates. 


Page  3 


GAO-15-700  Diplomatic  Security 


of  Agriculture,  Defense,  Homeland  Security,  Justice,  and  the  Treasury, 
and  the  U.S.  Agency  for  International  Development,  among  others.  As  we 
reported  in  2005,  State  considers  soft  targets  to  be  places  where 
Americans  and  other  westerners  live,  congregate,  shop,  or  visit.8  In 
addition  to  residences  and  schools,  soft  targets  can  include  hotels,  clubs, 
restaurants,  shopping  centers,  places  of  worship,  and  public  recreation 
events.  Travel  routes  of  U.S.  government  employees  are  also  considered 
soft  targets,  based  on  their  vulnerability  to  terrorist  attacks.  For  the 
purposes  of  this  report,  we  focus  primarily  on  U.S.  diplomatic  residences; 
we  also  focus  on  schools  attended  by  U.S.  government  dependents  and 
off-compound  employee  association  facilities  since  such  schools  and 
facilities  are  eligible  for  State-funded  security  upgrades. 

As  of  the  end  of  fiscal  year  2014,  the  U.S.  government  leased  or  owned 
more  than  15,000  residences  worldwide,  according  to  State.  About 
13,000  were  residences  leased  by  the  U.S.  government  and  located  off 
embassy  or  consulate  compounds,  while  slightly  more  than  2,000  were 
government-owned,  most  of  which  were  also  located  off  embassy  or 
consulate  compounds.9  With  respect  to  schools,  State  estimates  that 
there  are  nearly  250,000  school-age  American  children  overseas,  of 
which  approximately  8,000  are  U.S.  government  dependents.  State 
provides  assistance  to  almost  200  “American-sponsored”  schools 
worldwide  to  help  provide  quality  education  for  children  of  U.S. 
government  employees.10  U.S.  government  dependents  may  also  attend 
any  other  schools  preferred  by  their  parents.  In  addition,  State  has 
chartered  about  130  employee  associations  at  posts  overseas.  These 
associations  maintain  a  variety  of  facilities,  including,  among  others,  retail 
stores,  cafeterias,  recreational  facilities,  and  quarters  for  officials  on 
temporary  duty.  Some  of  these  facilities  are  located  off  embassy  or 
consulate  compounds.  The  vast  majority  of  the  facilities  are  either  owned 
or  leased  by  the  U.S.  government. 


8GAO,  Overseas  Security:  State  Department  Has  Not  Fully  Implemented  Key  Measures  to 
Protect  U.  S.  Officials  from  Terrorist  Attacks  Outside  of  Embassies,  GAO-05-642 
(Washington,  D.C.:  May  9,  2005). 

According  to  State,  as  of  March  2015,  more  than  900  additional  residences  were  leased 
privately  by  U.S.  government  personnel  using  the  living  quarters  allowance,  which 
reimburses  employees  for  suitable,  adequate  living  quarters  at  posts  where  the  U.S. 
government  does  not  provide  them. 

10The  U.S.  government  does  not  operate  or  control  these  schools.  According  to  State,  the 
majority  of  the  schools  are  nonprofit,  independent  institutions. 


Page  4 


GAO-15-700  Diplomatic  Security 


According  to  State,  host-country  police,  security,  and  intelligence  forces 
are  often  the  first  line  of  defense  in  protecting  U.S.  government  personnel 
against  potential  threats.  Additionally,  as  required  by  the  Omnibus 
Diplomatic  Security  and  Antiterrorism  Act  of  1986,  the  Secretary  of  State, 
in  consultation  with  the  heads  of  other  federal  agencies,  is  responsible  for 
developing  and  implementing  policies  and  programs  to  protect  U.S. 
government  personnel  on  official  duty  abroad,  along  with  their 
accompanying  dependents.11  Responsibility  for  the  security  of  residences 
and  other  soft  targets  overseas  falls  primarily  on  DS  and  OBO. 

•  DS  is  responsible  for,  among  other  things,  establishing  and  operating 
security  and  protective  procedures  at  posts,  chairing  the  interagency 
process  that  sets  security  standards,  and  developing  and 
implementing  posts’  residential  security  programs,  which  includes 
providing  funding  for  most  residential  security  upgrades.  At  posts,  DS 
agents  known  as  RSOs,  including  deputy  RSOs  and  assistant  RSOs, 
are  responsible  for  protecting  personnel  and  property,  documenting 
threats  and  residential  vulnerabilities,  and  identifying  possible 
mitigation  efforts  to  address  those  vulnerabilities.  Posts  with  high 
turnover  of  residences  or  a  large  number  of  residences  may  also  have 
a  residential  security  coordinator  on  the  RSO’s  staff  to  assist  with 
supervision  and  management  of  the  posts’  residential  security 
programs.12  RSOs  are  also  responsible  for  offering  security  advice 
and  briefings  to  schools  attended  by  U.S.  government  dependents 
and  recommending  security  upgrades  to  school  and  employee 
association  facilities. 

•  OBO  tracks  information  on  State’s  real  properties,  including 
residences;  provides  funding  for  certain  residential  security  upgrades; 
and  funds  and  manages  the  Soft  Target  Program,  State’s  program  for 
providing  security  upgrades  to  schools  attended  by  U.S.  government 
dependents  and  off-compound  employee  association  facilities. 

State’s  policies  are  outlined  in  the  FAM  and  corresponding  FAH.  Sections 
of  the  FAM  and  FAH  relevant  to  residential  security  include  various 


"Pub.  L.  No.  99-399,  §  103,  100  Stat.  853,  856  (codified  as  amended  at  22  U.S.C.  § 
4802).  This  requirement  does  not  apply  to  personnel  under  the  command  of  a  United 
States  area  military  commander. 

12ln  the  remainder  of  this  report,  we  use  “RSOs”  to  refer  to  RSOs,  deputy  and  assistant 
RSOs,  residential  security  coordinators,  and  other  professional  staff  who  work  in  RSO 
offices. 


Page  5 


GAO-15-700  Diplomatic  Security 


subchapters  detailing  State’s  program  for  residential  security,13  the  OSPB 
residential  security  standards,14  and  security-related  guidance  found  in 
the  Residential  Security  Handbook15  and  Physical  Security  Handbook.16 
In  addition,  the  FAM  includes  sections  that  provide  guidance  about 
schools  that  enroll  U.S.  government  dependents  and  off-compound 
employee  association  facilities.17  See  table  1  for  further  details  on 
selected  FAM  and  FAH  policies  that  are  pertinent  to  securing  residences 
and  other  soft  targets. 


Table  1:  Selected  Foreign  Affairs  Manual  (FAM)  and  Foreign  Affairs  Handbooks  (FAH)  Policies  Relevant  to  Security  of 
Residences  and  Other  Soft  Targets  Overseas 

Policy  topic  or  name 

FAM/FAH  location 

Description 

Residential  security  program 

12  FAM  470 

Identifies  purpose  of  State’s  residential  security  program  and  key 
roles  and  responsibilities  in  implementing  the  program. 

Overseas  Security  Policy  Board 
residential  security  standards 

12  FAH-6 

Lists  security  standards  used  to  determine  the  minimum  acceptable 
level  of  residential  security  protection  at  posts. 

Residential  Security  Handbook 

12  FAH-8 

Provides  detailed  supporting  information  to  help  posts’  security 
officials  understand  how  to  implement  and  meet  the  security 
standards  for  residences  located  off  embassy  or  consulate 
compounds. 

Physical  Security  Handbook 

12  FAH-5 

Provides  detailed  supporting  information  to  help  posts’  security 
officials  understand  how  to  implement  and  meet  the  security 
standards  for  various  facilities,  including  residences  located  on 
embassy  or  consulate  compounds. 

Post  security  management 

12  FAM  420 

Among  other  things,  identifies  responsibilities  of  posts’  security 
officials  with  respect  to  residences  and  schools  that  enroll  U.S. 
government  dependents. 

Approvals  required  for  repairs  and 
improvements 

15  FAM  640 

Among  other  things,  outlines  the  rules  for  security  upgrades  to 
schools  and  off-compound  employee  association  facilities. 

Source:  GAO  analysis  of  Department  of  State  (State)  data.  |  GAO-15-700 


In  addition  to  these  policies,  State  has  produced  other  guidance 
documents,  such  as  a  matrix  that  identifies  which  residential  security 
upgrades  DS  and  OBO,  respectively,  are  responsible  for  funding  and  an 


1312  FAM  470. 

1412  FAH-6. 

1512  FAH-8. 

1612  FAH-5. 

17For  example,  see  15  FAM  640. 


Page  6 


GAO-15-700  Diplomatic  Security 


OBO-drafted  cable  that  outlines  the  process  for  requesting  security 
upgrades  at  schools  and  employee  association  facilities. 

State  Conducts  a 
Range  of  Activities  to 
Assess  Risks  to 
Residences 

Overseas,  but 
Weaknesses  Exist  in 
Security  Surveys  at 
Posts 

State  assesses  risks  to  U.S.  diplomatic  residences  overseas  using  a 
range  of  activities,  but  many  security  surveys  were  not  completed  for 
residences  we  visited.  We  found  that  State  (1)  records  and  monitors 
information  on  overseas  residences  in  its  property  database,  (2) 
establishes  threat  levels  at  overseas  posts,  (3)  develops  security 
standards  for  residences,  and  (4)  uses  these  standards  to  conduct 
security  surveys  of  residences  to  identify  vulnerabilities.  However,  17  of 

68  surveys  for  residences  we  visited  were  not  completed  as  required, 
thereby  limiting  State’s  ability  to  effectively  and  efficiently  identify  and 
address  vulnerabilities. 

OBO  Tracks  Overseas 
Residences  and  Has 

Taken  Steps  to  Improve 
the  Reliability  of  Its  Data 

OBO  is  responsible  for  maintaining  records  on  all  diplomatic  residences 
overseas  in  its  real  property  database  (hereafter  referred  to  as  OBO’s 
property  database).  OBO’s  property  database  contains  data  on 
residences  owned  and  leased  by  the  U.S.  government,  and  includes 
details  such  as  residence  type  and  address,  whether  a  given  residence  is 
leased  or  owned,  the  agency  affiliation  of  the  occupant,  and  the 
acquisition  date,  among  others.  DS  officials  told  us  that  they  rely  on 

OBO’s  database  as  their  source  for  such  details  on  residences. 

As  we  have  previously  reported,  maintaining  accurate  and  reliable 
property  information  has  been  a  long-standing  challenge  for  State.18  OBO 
has  taken  a  number  of  steps  to  enhance  its  property  data  since  we  first 
reported  on  this  issue,  including  hiring  dedicated  analysts  to  review  and 
validate  data  entered  at  posts  and  processing  budget  requests  through 

1  ft 

See  GAO,  Overseas  Real  Property:  State  Department  Needs  to  Improve  Guidance  and 
Records  Management,  GAO-14-769  (Washington,  D.C.:  Sept.  25,  2014);  GAO-14-655; 
State  Department:  Sale  of  Unneeded  Overseas  Property  Has  Increased,  but  Further 
Improvements  Are  Necessary,  GAO-02-590  (Washington,  D.C.:  June  11, 2002);  State 
Department:  Additional  Actions  Needed  to  Improve  Overseas  Real  Property  Management, 
GAO/NSIAD-95-128  (Washington,  D.C.:  May  15,  1995);  High  Risk  Series:  Management  of 
Overseas  Real  Property,  GAO/HR-93-15  (Washington,  D.C.:  Dec.  1,  1992);  and  State 
Department:  Management  of  Overseas  Real  Property  Needs  Improvement, 
GAO/NSIAD-89-1 1 6  (Washington,  D.C.:  Apr.  13,  1989). 

Page  7 


GAO-15-700  Diplomatic  Security 


the  property  database  so  that  funding  requests  from  posts  are  linked  to 
the  accuracy  of  the  posts’  property  data.19  State  also  concurred  with  our 
June  2014  recommendation  that  OBO  establish  a  routine  process  for 
validating  the  accuracy  of  the  data  in  its  property  database,  and  we 
continue  to  follow  up  on  State’s  efforts  to  implement  the 
recommendation.20  During  this  review,  we  found  inaccuracies  in  the 
property  data  for  2  of  the  68  residences  we  visited:  in  both  cases,  the 
residence  type  listed  was  incorrect.  OBO  officials  told  us  that  they 
reached  out  to  the  posts  where  the  residences  were  located  and  asked 
them  to  input  the  correct  information. 


DS  Establishes  Threat 
Levels  at  Posts  Overseas 
and  Leads  Development 
of  Security  Standards  for 
Residences 


DS  conducts  two  key  activities  to  help  assess  risks  to  residences.  First, 
DS  evaluates  the  security  situation  at  each  overseas  post  by  assessing 
five  types  of  threats — political  violence,  terrorism,  crime,  and  two 
classified  categories — and  assigning  corresponding  threat  levels  for  each 
threat  type.  The  threat  levels  are  as  follows: 

•  critical:  grave  impact  on  U.S.  diplomats; 

•  high:  serious  impact  on  U.S.  diplomats; 

•  medium:  moderate  impact  on  U.S.  diplomats;  and 

•  low:  minor  impact  on  U.S.  diplomats. 

Threat  levels  for  each  post  are  assessed  and  updated  annually  in  the 
Security  Environment  Threat  List.  According  to  DS  officials,  the  bureau 
develops  the  list  based  on  questionnaires  filled  out  by  post  officials,  and 
the  final  threat  ratings  are  reviewed  and  finalized  through  an  iterative 
process  involving  officials  at  overseas  posts  and  headquarters.  These 
threat  levels  are  used  to  determine  the  security  measures  required  for 
residences  at  each  post. 


Second,  in  consultation  with  the  interagency  OSPB,  DS  develops  physical 
security  standards  for  diplomatic  facilities  and  residences.21  The 


19According  to  OBO  officials,  OBO  plans  to  continue  these  developments  and  address 
additional  issues  in  the  next  version  of  its  real  property  database,  which  is  scheduled  for 
release  in  December  2015. 

20GAO-14-655. 

21  Chaired  by  the  Assistant  Secretary  of  DS,  OSPB  includes  representatives  from 
approximately  20  U.S.  agencies  with  personnel  overseas,  including  intelligence  and 
foreign  affairs  agencies,  among  others. 


Page  8 


GAO-15-700  Diplomatic  Security 


residential  security  standards  apply  to  all  residences  of  U.S.  government 
personnel  assigned  abroad  under  chief-of-mission  authority.  The  OSPB 
standards  are  published  in  the  FAH  and  vary  by  residence  type. 
Specifically,  there  are  separate  OSPB  standards  for  six  different 
residence  types,  one  of  which  is  on-compound  housing.  The  remaining 
five  are  for  off-compound  (1)  apartments,  (2)  single  family  homes,  (3) 
residential  compounds,  (4)  Marine  Security  Guard  residences,  and  (5) 
residences  for  principal  officers.  OSPB  standards  also  vary  by  date  of 
construction  or  acquisition,  threat  level,  and  whether  they  are  mandatory. 
If  residences  do  not  meet  all  applicable  mandatory  standards,  posts  are 
required  to  request  exceptions  to  the  OSPB  standards.22 

Within  the  OSPB  standards,  we  identified  six  key  categories  of  security 
standards  to  protect  residences  from  the  threats  of  political  violence, 
terrorism,  and  crime.  These  include  (1)  an  anti-climb  perimeter  barrier, 
such  as  a  wall  or  a  fence,  and  access  control;  (2)  setback  from  the 
perimeter;  (3)  a  secure  off-street  parking  area;  (4)  a  secure  building 
exterior  with  substantial  doors  and  grilled  windows  with  shatter-resistant 
film;  (5)  alarms;  and  (6)  a  safe  space  for  taking  refuge.  Figure  1  portrays 
these  six  categories  at  a  notional  residence. 


22According  to  the  FAM,  if  a  residence  does  not  meet  and  cannot  be  made  to  meet  the 
required  security  standards — and  no  other  acceptable  residential  property  is  available — 
the  post  must  request  an  exception  to  the  standards.  The  FAM  and  FAH  state  that  no 
action  should  be  taken  to  purchase  or  lease  the  property  until  DS  approves  the  exception 
request.  DS  headquarters  evaluates  post  exception  requests  based  on  several  factors, 
such  as  post  threat  levels  and  mitigation  measures  taken  in  lieu  of  meeting  the  standard. 
The  Assistant  Secretary  of  DS  serves  as  the  final  reviewer  for  approving  or  disapproving 
exception  requests. 


Page  9 


GAO-15-700  Diplomatic  Security 


Figure  1:  Six  Key  Categories  of  Physical  Security  Standards  at  a  Notional  Diplomatic  Residence 


Key  security  standards 

•  Anti-climb  perimeter  barrier  and  access  control 

•  Setback 

•  Secure  parking 

•  Secure  building  exterior 

•  Alarms  (not  shown) 

•  Safe  space  for  taking  refuge  (not  shown) 


,nti-climb  wall 


Secure  building 
exterior 


Anti-climb  wall 


Access  control 


Access  control 


Anti-climb  wall 


Anti-climb  wall 


Sources:  GAO  analysis  of  Department  of  State  data;  Nova  Development  (clip  art).  |  GAO-1 5-700 

Note:  Figure  shown  represents  a  notional  residence.  Not  every  residence  is  subject  to  all  six 
categories  of  physical  security  standards. 


In  addition  to  the  OSPB  standards,  State  developed  the  Residential 
Security  Handbook  and  Physical  Security  Handbook,  also  published  in 
the  FAH,  which  provide  detailed  supporting  information  designed  to  help 
officials  understand  how  to  implement  and  meet  the  OSPB  standards. 


Page  10 


GAO-15-700  Diplomatic  Security 


Posts  Conduct  Residential 
Security  Surveys  to 
Identify  Vulnerabilities,  but 
Many  Surveys  at  Posts 
We  Visited  Were  Not 
Completed  as  Required 


According  to  the  FAM,  before  State  can  purchase  or  lease  an  overseas 
residence,  the  RSO  must  conduct  a  residential  security  survey  of  the 
property,  document  all  security  deficiencies  that  must  be  corrected,  and 
approve  the  purchase  or  lease  of  the  residence.23  Off-compound 
residences  must  be  resurveyed  every  5  years,  and  on-compound 
residences  must  be  resurveyed  every  3  years.  Additionally,  according  to 
DS  officials,  RSOs  at  posts  that  experience  a  change  in  threat  level  must 
resurvey  all  post  residences  within  1  year  of  the  threat-level  change. 

While  officials  at  the  posts  we  visited  were  able  to  provide  us  with  up-to- 
date  surveys  for  most  of  the  68  residences  that  we  evaluated,  not  all 
surveys  at  five  of  the  seven  posts  we  visited  met  the  requirements 
outlined  in  the  FAH  and  the  FAM.  Specifically,  17  surveys  were  not 
completed  as  required:  9  surveys  were  outdated,  1  survey  was  completed 
after  the  residence  had  already  been  leased,  and  7  surveys  were  missing. 
Among  the  residences  with  surveys  that  did  not  meet  requirements  were 
those  of  two  principal  officers.  At  one  post,  we  found  that  the  consul 
general’s  residence  had  not  been  surveyed  since  2006.  At  another,  the 
RSO  was  unable  to  find  a  survey  for  the  ambassador’s  residence. 


Missing  or  outdated  surveys  may  limit  DS  and  posts’  ability  to  identify  and 
address  residential  security  vulnerabilities  that  could  have  otherwise  been 
recognized  and  corrected  through  the  security  survey  process.  As  noted 
in  the  framework  we  developed  to  help  federal  agencies  implement  the 
Government  Performance  and  Results  Act  of  1993,  leading  organizations 
reinforce  results-oriented  management  by  giving  their  managers 
extensive  authority  to  pursue  organizational  goals  in  exchange  for 
accountability  for  results.24  According  to  officials  at  DS  headquarters, 
ensuring  that  residential  security  surveys  are  completed  as  required  is  the 
responsibility  of  individual  posts.  These  officials  added  that  they  recently 
started  reviewing  surveys  for  on-compound  residences.  However,  aside 
from  periodic  DS  headquarters-led  inspections  that  review,  in  part,  the 
extent  to  which  posts  are  conducting  residential  security  surveys  as 
required,  DS  has  not  instituted  procedures  to  hold  posts  accountable  for 
complying  with  the  survey  requirements  for  off-compound  residences, 
which,  as  noted  earlier,  greatly  outnumber  on-compound  residences. 
Without  up-to-date  security  surveys  of  all  its  overseas  residences,  State 
has  limited  ability  to  effectively  and  efficiently  identify  vulnerabilities  or 


2312  FAM  335.2. 
24GAO/GGD-96-1 1 8. 


Page  11 


GAO-15-700  Diplomatic  Security 


make  informed  decisions  about  where  to  allocate  resources  for  security 
upgrades  to  address  such  vulnerabilities. 


State  Has  Taken  or  Planned  Actions  to  Enhance  Residential  Security 
Following  Attacks  on  U.S.  Facilities  and  Personnel 

State  has  taken  steps  to  enhance  residential  security  in  response  to  previous 
attacks  on  U.S.  facilities.  These  have  included  actions  taken  or  planned  to  address 
recommendations  resulting  from  interagency  security  assessments  and 
Accountability  Review  Board  (ARB)  reports.  In  response  to  the  September  2012 
attacks  against  U.S.  diplomatic  facilities — including  facilities  in  Libya,  Sudan, 

Tunisia,  Yemen,  and  Egypt,  among  others — State  formed  several  Interagency 
Security  Assessment  Teams  to  assess  security  vulnerabilities  at  19  posts  that  the 
Bureau  of  Diplomatic  Security  considered  to  be  high-threat  and  high-risk.  Rather 
than  assess  the  facilities  at  the  19  posts  against  the  Overseas  Security  Policy  Board 
standards  typically  used  to  assess  these  facilities,  the  teams  assessed  all  facilities 
at  the  19  posts  for  any  type  of  security  vulnerability — physical  or  procedural.  This 
assessment  process  resulted  in  a  report  that  recommended  physical  security 
upgrades  at  some  residences.  At  one  post  that  we  visited,  officials  noted  that  in 
response  to  this  report  they  had  added  a  closed-circuit  television  system  at  the 
ambassador’s  residence,  but  had  not  yet  installed  an  emergency  siren  system  at  a 
residential  compound,  which  was  also  recommended  by  the  report. 

State  has  also  taken  or  planned  steps  to  address  recommendations  from  ARB 
reports  stemming  from  previous  attacks  on  U.S.  facilities  and  personnel  overseas. 
According  to  State,  there  have  been  four  ARB  reports  related  to  the  security  of 
residences,  with  10  residential  security  recommendations  in  total.  We  found  that  8  of 
the  10  recommendations  related  to  residential  security  have  been  implemented.  For 
instance,  State  established  an  interagency  working  group  in  response  to  a 
recommendation  to  conduct  a  comprehensive  review  of  issues  related  to  residential 
security.  The  2  open  recommendations  are  both  from  the  2005  ARB  report  on  the 
attacks  on  the  U.S.  consulate  in  Jeddah,  Saudi  Arabia.  Those  recommendations, 
which  called  for  the  construction  of  a  new  consulate  compound  along  with 
residences  that  meet  the  relevant  security  standards,  will  be  closed  as  implemented 
once  staff  transition  into  the  new  consulate  compound  in  Jeddah.  According  to  State 
documentation,  the  new  consulate  compound  was  originally  projected  for  completion 
in  March  2010.  However,  in  May  2010,  State  terminated  the  contract  because  of  the 
original  contractor’s  failure  to  perform.  State  awarded  a  new  contract  for  the  project 
in  September  2012.  State  officials  told  us  in  November  2014  that  they  expect 
substantial  construction  of  the  new  consulate  compound  to  be  completed  in 
December  2015  and  that  the  planned  move-in  date  is  March  2016. 


Source:  GAO  analysis  of  Department  of  State  (State)  data.  |  GAO-15-700 


Page  12 


GAO-15-700  Diplomatic  Security 


State’s  Updates  of 
Security  Standards 
for  Residences  Have 
Not  Been  Timely,  and 
the  Standards  Are 
Difficult  to  Use 

State  Has  Not  Always 
Been  Timely  in  Updating 
Security  Standards  for 
Residences  or 
Communicating  Changes 


Over  the  last  decade,  State  has  taken  steps  to  develop  or  revise  several 
sets  of  OSPB  residential  security  standards.  However,  we  found  that 
State  has  not  been  timely  in  updating  these  standards,  nor  has  it  always 
communicated  changes  to  posts  in  a  timely  manner.  Moreover,  the  OSPB 
standards  and  other  security-related  guidance  for  residences  are 
confusing  in  nature  and  contain  gaps  and  inconsistencies,  thereby 
complicating  posts’  efforts  to  apply  the  appropriate  security  measures  and 
potentially  leaving  residences  at  risk. 


Federal  internal  control  standards  state  that  agencies  must  have  timely 
communication  and  information  sharing  to  achieve  objectives;25  therefore, 
it  is  vital  that  agencies  update  their  policies  in  a  timely  manner, 
particularly  when  lives  and  the  security  of  property  and  information  are  at 
stake.  DS  manages  the  interagency  process  by  which  OSPB  security 
standards  are  updated.  According  to  DS  officials,  it  should  take  about  75 
days  to  make  an  update  to  the  OSPB  standards.26  Specifically,  it  should 
take  up  to  30  days  to  draft  and  obtain  approval  within  DS  for  an  update  to 
the  security  standards  in  the  FAH  and  up  to  another  15  days  to  obtain 
approval  for  the  draft  changes  by  other  relevant  stakeholders  within  State, 
such  as  OBO  and  the  Office  of  the  Legal  Adviser.  Obtaining  approval 
from  OSPB  members  should  occur  within  an  additional  30  days.  Once  all 
of  the  required  approvals  are  obtained,  DS  sends  the  update  to  the 
Bureau  of  Administration  for  publishing. 

Since  2005,  State  has  taken  steps  to  update  three  sections  of  the  FAH 
with  new  or  revised  OSPB  residential  security  standards;  however,  the 
time  it  took  to  complete  these  updates  significantly  exceeded  75  days. 
Specifically,  State  (1)  developed  new  residential  security  standards  to 
address  the  threat  of  terrorism,  (2)  revised  the  standards  for  newly 
acquired  on-compound  housing,  and  (3)  developed  new  standards  for 
existing  on-compound  housing.  In  each  of  these  cases,  the  update 
process  took  more  than  3  years,  including  one  instance  that  took  more 
than  9  years  (see  fig.  2). 


25GAO/AI M  D-00-2 1.3.1. 

26We  reported  in  June  2014  that  DS  officials  told  us  it  should  take  90  days  to  update  the 
OSPB  standards.  See  GAO-14-655.  In  comments  on  that  report,  State  noted  that  it  had 
recently  shortened  the  approval  time  frame  for  other  relevant  stakeholders  within  State 
from  30  days  to  1 5  days,  thereby  reducing  the  total  amount  of  time  it  should  take  to 
update  the  OSPB  standards  from  90  days  to  75  days. 


Page  13 


GAO-15-700  Diplomatic  Security 


Figure  2:  Time  Frames  for  Updates  to  Overseas  Security  Policy  Board  Residential  Security  Standards  since  2005 


Expected  time  frame  75  days 


New  standards  to  address  the 
threat  of  terrorism 


9  years,  1  month 


Revised  standards  for  newly 
acquired  on-compound  housing 


3  years,  10  months 


New  standards  for  existing 
on-compound  housing 


4  years,  6  months 


Source:  GAO  analysis  of  Department  of  State  data.  |  GAO-1 5-700 


•  In  April  2005,  the  ARB  resulting  from  the  attacks  on  the  U.S. 
consulate  in  Jeddah,  Saudi  Arabia,  recommended  developing 
residential  security  standards  to  address  terrorism.  A  working  group 
completed  a  final  draft  of  the  standards  4  years  later  in  April  2009, 
and  it  took  other  stakeholders  within  State  nearly  5  more  years  to 
clear  the  standards.  As  a  result,  the  standards  were  not  approved  by 
OSPB  and  published  until  May  2014.  Moreover,  DS  did  not  notify 
posts  that  the  new  standards  had  been  completed  until  mid-October 
2014 — 5  months  after  their  publication  and  3  months  after  they  went 
into  effect.  DS  officials  stated  that  their  decision  to  notify  posts  was 
prompted  in  part  by  our  asking  how  posts  become  aware  of  new  or 
revised  standards.  Of  the  three  posts  that  we  visited  prior  to  DS’s 
notification  regarding  the  new  standards,  one  had  found  them  in  the 
FAH  on  its  own  in  the  same  month  that  the  standards  went  into  effect, 
one  had  found  the  new  standards  in  the  FAH  on  its  own  but  not  until 
they  had  already  gone  into  effect,  and  one  was  unaware  of  the  new 
standards  until  we  mentioned  them  during  our  visit.  According  to  DS 
officials,  these  new  standards  applied  immediately  to  off-compound 
residences  acquired  on  or  after  July  1 , 2014;  all  other  off-compound 
residences  have  to  meet  the  standards  within  3  years — by  July 
2017 — or  receive  exceptions.  However,  because  DS  did  not  notify 
posts  about  the  new  standards  until  October  2014,  post  officials 
effectively  lost  several  months  during  which  they  could  have  been 
preparing  to  apply  the  new  standards.  Additionally,  officials  at  one 
post  stated  that  the  DS  notification  arrived  1  day  before  the  deadline 
for  submitting  a  budget  request  for  the  following  fiscal  year.  In  order  to 
request  funding  for  newly  required  security  features,  they  had  to  make 
major  revisions  to  the  budget  request  they  had  already  developed  but 


Page  14  GAO-15-700  Diplomatic  Security 


had  very  little  time  to  do  so.  Likewise,  officials  at  another  post  stated 
that  they  had  to  make  significant  revisions  to  the  building  plan  for  a 
new  residential  compound  already  under  construction  in  order  for  it  to 
meet  the  new  standards. 

•  In  November  2010,  OSPB  gave  its  approval  for  revising  the  standards 
for  newly  acquired  on-compound  housing.  These  standards  were  not 
finalized  until  September  2014.  DS  notified  posts  of  their  publication  in 
October  2014. 

•  In  November  2010,  OSPB  also  gave  its  approval  for  developing  new 
standards  for  existing  on-compound  housing.  The  standards  did  not 
receive  approval  within  DS  until  September  2014.  State  published  the 
standards  in  May  2015. 

As  we  reported  in  June  2014,  two  key  factors  can  cause  major  delays  in 
DS’s  process  for  updating  security  standards.27  First,  if  a  stakeholder 
suggests  a  change  to  the  draft  standards  at  any  time  during  the  review 
process,  the  proposed  draft  must  go  through  the  entire  review  process 
again;  some  stakeholders  may  then  request  additional  time  for  reviewing 
proposed  changes,  further  prolonging  the  process.  Second,  when 
changes  are  being  made  to  an  existing  FAH  subchapter,  the  FAH 
requires  officials  to  review  and  update  the  entire  subchapter,  and 
according  to  DS  officials,  there  is  no  specific  exception  for  updates  to 
standards  aimed  at  ensuring  security  and  protecting  lives.  As  a  result, 
even  when  DS  needs  to  make  urgent  changes  to  the  OSPB  standards,  it 
must  review  and  update  the  entire  subchapter  containing  the  update. 

In  an  attempt  to  mitigate  delays  in  the  process  for  updating  OSPB 
standards,  State  has  taken  some  steps  to  help  posts  apply  draft 
standards  before  they  are  officially  approved,  but  these  steps  have  not 
fully  addressed  the  delays.  While  the  standards  for  newly  acquired  on- 
compound  housing  were  still  in  the  OSPB  approval  process,  State 
incorporated  them  into  the  Physical  Security  Handbook — updates  to 
which,  according  to  DS,  require  clearance  only  within  State — so  that 
RSOs  could  begin  to  apply  them.  Similarly,  State  incorporated  the 
standards  for  existing  on-compound  housing  into  the  Physical  Security 
Handbook  before  DS  approved  them.  With  respect  to  timely 
communication  of  updated  standards,  DS  recently  began  sending 
monthly  notices  to  RSOs  to  announce  recently  published  updates  to  the 
FAH.  However,  DS  had  not  yet  begun  these  monthly  notices  when  the 


27GAO-1 4-655. 


Page  15 


GAO-15-700  Diplomatic  Security 


new  standards  addressing  terrorism  were  finalized  in  May  2014.  Thus, 
these  efforts  notwithstanding,  delays  in  updating  OSPB  security 
standards  and  communicating  the  updates  may  leave  posts  unaware  of 
the  most  current  security  measures  required  to  address  identified  threats. 
Accordingly,  we  recommended  in  June  2014  that  State  take  steps  to 
ensure  that  updates  to  security  and  safety  standards  be  approved 
through  an  expedited  review  process.28  State  concurred  with  the 
recommendation,  explaining  that  it  had  shortened  the  deadline  for 
department  clearance  on  draft  policies  from  30  days  to  15  days.  However, 
in  two  of  the  three  cases  outlined  above — the  revised  standards  for  newly 
acquired  on-compound  housing  and  the  new  standards  for  existing  on- 
compound  housing — draft  standards  were  submitted  for  department 
clearance  after  State’s  decision  to  shorten  the  associated  deadline  to  15 
days.  In  both  cases,  it  took  more  than  4  months  to  secure  department 
clearance.  We  continue  to  follow  up  on  State’s  efforts  to  implement  our 
recommendation  to  use  an  expedited  review  process  for  updating  security 
and  safety  standards. 


Relevant  Security 
Standards  and  Other 
Security-Related 
Guidance  for  Residences 
Are  Confusing  in  Nature 
and  Contain  Gaps  and 
Inconsistencies,  Making 
Them  Difficult  to  Use 


According  to  federal  internal  control  standards,  policy  standards  should 
be  clear,  complete,  and  consistent  in  order  to  facilitate  good  decision 
making  in  support  of  agency  objectives.29  The  FAH  similarly  directs 
officials  who  are  drafting  FAH  and  FAM  directives  to  write  “in  plain 
language  whenever  possible”  and  to  convey  “a  clear  sense  of  what  you 
want  the  reader  to  do  or  not  do.”30  However,  we  found  that  relevant  State 
residential  security  standards  and  related  guidance  are  confusing  in 
nature  and  contain  gaps  and  inconsistencies,  making  it  difficult  for  RSOs 
to  identify  and  apply  the  appropriate  security  measures.31 


28GAO-14-655. 

29GAO/AI M  D-00-2 1.3.1. 

302  FAH-1  H-100. 

31We  identified  gaps  and  inconsistencies  in  relevant  standards  and  security-related 
guidance  for  residences  in  the  course  of  (1 )  conducting  an  analysis  of  the  OSPB 
standards,  the  Residential  Security  Handbook,  and  the  Physical  Security  Handbook  to 
develop  our  facility  review  checklists  and  (2)  discussing  the  guidance  with  knowledgeable 
State  officials.  Because  it  was  beyond  the  scope  of  this  engagement  to  systematically 
review  all  residential  security  standards  and  related  guidance  for  gaps  and  consistencies, 
we  cannot  generalize  our  findings  to  all  standards  and  security-related  guidance  for 
residences. 


Page  16 


GAO-15-700  Diplomatic  Security 


Several  aspects  of  State’s  residential  security  standards  and  related 

guidance  contribute  to  their  confusing  nature. 

•  Dispersed  across  the  FAH  and  FAM.  State’s  residential  security 
standards  and  related  guidance  are  presented  throughout  various 
sections  of  the  FAH  and  FAM.  RSOs  at  six  posts  we  visited  and  even 
some  headquarters  officials  involved  in  developing  the  standards 
stated  that  they  find  it  challenging  to  keep  track  of  all  the  sections 
where  relevant  standards  and  guidance  appear.  We  located  relevant 
standards  and  guidance  in  nine  different  subchapters  of  the  FAH  and 
FAM.  Further,  one  of  the  subchapters  refers  to  a  set  of  standards  that 
predated  the  1998  embassy  bombings  and  no  longer  exists.  DS  has 
taken  steps  to  mitigate  this  dispersion  by  creating  tables  that 
consolidate  the  relevant  standards.  Specifically,  DS  has  created 
tables  for  each  of  the  following:  (1 )  the  standards  for  newly  acquired 
on-compound  housing;  (2)  the  standards  for  existing  on-compound 
housing;  and  (3)  the  standards  for  off-compound  residences,  including 
the  new  May  2014  standards  to  address  terrorism.  DS  officials  stated 
in  April  2015  that  they  had  not  yet  provided  RSOs  with  the  table  for 
off-compound  residences  but  planned  to  do  so  in  May  2015.  In 
addition,  DS  officials  told  us  that  they  plan  to  develop  an  automated 
template  for  on-compound  housing  to  assist  RSOs  in  identifying  the 
relevant  standards. 

•  Confusing  terminology.  RSOs  at  five  posts  stated  that  the  standards 
and  guidance  are  sometimes  worded  in  a  confusing  manner. 
Specifically,  while  some  standards  are  worded  as  mandatory 
measures  that  “must”  be  taken,  others  are  worded  in  a  way  that  could 
be  interpreted  as  mandatory  or  discretionary.  For  example,  some 
measures  “should”  or  will  “ideally”  be  taken,  or  are  “recommended”; 
likewise,  some  standards  “must  be  considered,”  while  others  “should 
be  considered.”  DS  officials  told  us  that  the  intent  of  using  various 
terms  in  the  guidance  is  to  give  RSOs  some  flexibility  in  deciding 
which  measures  are  applicable  to  their  posts.  However,  a  number  of 
RSOs  told  us  that  they  sometimes  had  difficulty  deciding  whether  and 
how  to  apply  certain  standards  because  of  their  confusing  wording. 
These  RSOs  said  that  difficulties  in  distinguishing  the  nuances 
between  the  various  terms  used  in  the  standards  sometimes  resulted 
in  their  uncertainty  as  to  whether  the  residences  at  their  posts  were 
fully  in  compliance  with  the  standards. 

•  Unclear  housing  categories.  While  the  new  standards  issued  in  May 
2014  include  a  section  outlining  specific  security  measures  for 
residential  compounds,  DS  headquarters  officials  told  us  that  they 
have  had  difficulty  defining  what  differentiates  this  type  of  housing 
from  single  family  homes  located  in  gated  communities,  which  are 


Page  17 


GAO-15-700  Diplomatic  Security 


subject  to  a  separate  set  of  security  measures.  Officials  added  that  in 
the  absence  of  clearly  defined  housing  categories,  it  is  difficult  for 
RSOs  to  know  which  standards  to  apply. 

In  addition  to  finding  State’s  residential  security  standards  and  guidance 

to  be  confusing  in  nature,  we  identified  multiple  gaps  and  inconsistencies, 

including  the  examples  described  below. 

•  The  previous  version  of  the  FAM  subchapter  detailing  State’s  program 
for  residential  security  stated  that  when  a  post  experiences  a  change 
in  its  Security  Environment  Threat  List  rating,  the  post  must  resurvey 
residences  to  determine  what  security  upgrades,  if  any,  are  needed. 
However,  a  new  version  of  the  FAM  subchapter  published  in  August 
2014  does  not  include  this  requirement.  When  we  asked  DS  officials 
about  this,  they  told  us  it  was  an  oversight  and  stated  that  the 
requirement  still  exists.  They  also  stated  that  because  we  brought  this 
issue  to  their  attention,  they  plan  to  revise  the  standards  issued  in 
May  2014  to  include  the  requirement. 

•  While  the  new  standards  released  in  May  2014  call  for  pedestrian  and 
vehicle  gates  at  residences  to  have  locking  devices,  DS  officials  noted 
that  the  standards  as  written  do  not  explicitly  require  the  residences  to 
have  gates.  They  told  us  they  plan  to  modify  the  wording  of  this 
standard  to  clarify  that  gates  are  required. 

•  In  addition  to  announcing  the  completion  of  residential  security 
standards  to  address  terrorism,  the  notification  DS  sent  to  posts  in 
October  2014  enumerated  other  sets  of  security  standards  for  posts  to 
apply,  including  standards  to  address  crime  and  standards  for  newly 
acquired  on-compound  housing.  However,  the  notification  did  not 
mention  the  security  standards  in  effect  at  the  time  for  existing  on- 
compound  housing.  Additionally,  those  standards  for  existing  on- 
compound  housing,  which  dated  back  to  December  1999,  were 
labeled  in  the  FAH  as  standards  for  “new”  on-compound  housing.  This 
could  potentially  have  caused  confusion  since  the  September  2014 
standards  for  newly  acquired  on-compound  housing  are  also  labeled 
as  standards  for  “new”  on-compound  housing.  As  noted  earlier,  State 
issued  new  standards  for  existing  on-compound  housing  in  May  2015. 
Because  State  completed  those  standards  late  in  our  review,  we  were 
unable  to  fully  evaluate  them. 

•  We  found  inconsistent  guidance  on  whether  residential  safe  havens 
are  required  to  have  an  emergency  exit.  The  Residential  Security 
Handbook  states  that  every  residential  safe  haven  must  have  an 
emergency  exit.  By  contrast,  a  definitional  section  of  the  OSPB 
security  standards  states  that  an  emergency  exit  is  required  in 
residential  safe  havens  that  have  grilles  and  are  located  below  the 


Page  18 


GAO-15-700  Diplomatic  Security 


fourth  floor.  A  third  variation  appears  in  the  new  residential  security 
standards  to  address  terrorism  released  in  May  2014;  it  states  that 
residential  safe  havens  must  have  an  emergency  exit  “if  feasible.”  DS 
officials  told  us  that  they  plan  to  update  the  May  2014  standards  to 
help  RSOs  determine  feasibility,  but  it  is  unclear  whether  they  plan  to 
eliminate  the  inconsistencies  we  identified. 

These  gaps  and  inconsistencies  exist  in  part  because  DS  has  not 
comprehensively  reviewed  and  harmonized  its  various  standards  and 
security-related  guidance  for  residences.  The  FAH  requires  OSPB  to 
review  all  the  OSPB  standards  periodically — at  least  once  every  5 
years.32  In  practice,  as  we  previously  reported,  the  process  by  which 
security  standards  are  updated  is  typically  triggered  by  an  event,  such  as 
an  attack,  rather  than  by  a  periodic  and  systematic  evaluation  of  all  the 
standards.33  As  noted  above,  DS  officials  are  planning  updates  to  the 
OSPB  residential  security  standards  to  remedy  some  of  the  issues  we 
found.  DS  officials  also  stated  that  they  are  in  the  process  of  updating  the 
Residential  Security  Handbook  and,  as  part  of  that  effort,  are  adding 
further  clarifications  and  details  to  help  guide  RSOs.  However,  as 
discussed  earlier  in  this  report,  updates  to  the  OSPB  standards  have 
frequently  taken  State  several  years.  Furthermore,  the  planned  updates 
that  DS  officials  discussed  with  us  do  not  constitute  a  comprehensive 
effort  to  review  all  standards  and  security-related  guidance  for  residences 
to  identify  all  potential  gaps,  inconsistencies,  and  instances  where  clarity 
is  lacking.  Consequently,  the  confusing  nature  of  the  standards  and 
guidance  and  the  gaps  and  inconsistencies  they  contain  may  continue  to 
complicate  RSOs’  efforts  to  identify  and  apply  the  appropriate  security 
measures,  potentially  leaving  some  residences  at  greater  risk.  At  a 
minimum,  such  gaps  and  inconsistencies  in  the  standards  and  guidance 
can  lead  to  confusion  and  inefficiency.  For  example,  according  to  RSO 
officials  at  one  post  we  visited,  DS  inspectors  from  headquarters  told 
them  during  a  review  of  the  post’s  security  operations  that  residential  safe 
havens  must  have  a  reliable  water  source  and  grilles  on  all  external 
windows,  including  inaccessible  windows.  We  subsequently  verified  with 
DS  headquarters  that  no  such  requirements  exist  for  residential  safe 
havens. 


3212  FAH-6  Exhibit  H-014.2. 
33GAO-1 4-655. 


Page  19 


GAO-15-700  Diplomatic  Security 


State  Uses  Upgrades 
to  Address 
Residential  Security 
Vulnerabilities,  but 
More  Than  Half  of 
Residences  We 
Reviewed  Did  Not 
Meet  All  Standards 
and  Lacked 
Exceptions 


Over  the  last  6  fiscal  years,  State  has  allocated  about  $170  million  for 
security  upgrades  to  help  address  vulnerabilities  identified  at  diplomatic 
residences.  However,  38  of  the  68  residences  that  we  reviewed  did  not 
meet  all  of  the  applicable  standards,  thereby  potentially  placing  their 
occupants  at  risk.34  In  instances  when  a  residence  does  not  and  cannot 
meet  the  applicable  security  standards,  posts  are  required  to  either  seek 
other  residences  or  request  exceptions,  which  identify  steps  the  posts  will 
take  to  mitigate  vulnerabilities.  However,  DS  had  an  exception  on  file  for 
only  1  of  the  38  residences  that  we  found  did  not  meet  all  of  the 
applicable  standards.  Without  all  necessary  exceptions  in  place,  State 
lacks  information  that  could  provide  decision  makers  with  a  clearer  picture 
of  security  vulnerabilities  at  residences  and  enable  them  to  make  better 
risk  management  decisions.  In  addition,  new,  more  rigorous  security 
standards  will  likely  increase  posts’  need  for  exceptions  and  lead  to 
considerable  costs  for  upgrades. 


State  Uses  Security 
Upgrades  to  Address 
Residential  Security 
Vulnerabilities 


State  addresses  security  vulnerabilities  at  residences  by  installing  various 
kinds  of  upgrades  intended  to  help  residences  meet,  or  in  some  cases 
exceed,  the  applicable  standards.  According  to  State  guidance,  every 
effort  should  be  made  to  have  owners  or  landlords  of  leased  residences 
complete  any  permanent  residential  security  upgrades  at  no  cost  to  the 
U.S.  government.  If  the  owners  or  landlords  are  unwilling  or  unable  to 
complete  the  necessary  upgrades,  RSOs  have  the  option  either  to 
request  funding  for  upgrades  or  seek  alternate  residences.  Security 
upgrades  for  residences  are  primarily  funded  through  DS,  which  funds  all 
upgrades — such  as  window  grilles,  residential  safe  havens,  and  shatter- 
resistant  window  film — other  than  perimeter  barriers  and  some  access 
control  measures  at  certain  residences.35  As  shown  in  table  2,  in  fiscal 
years  2010  through  2015,  DS  allocated  approximately  $164  million  for 
residential  security  upgrades.  Over  the  same  period,  OBO  allocated  more 
than  $6  million  for  residential  security  upgrades  to  perimeter  barriers  and 


34 As  discussed  earlier  in  this  report,  residential  security  standards  vary  by  residence  type, 
date  of  construction  or  acquisition,  and  threat  level.  In  addition,  some  standards  are 
worded  as  mandatory  measures  that  “must”  be  taken,  while  others  are  worded  in  a  way 
that  could  be  interpreted  as  mandatory  or  discretionary.  In  reviewing  the  68  residences  we 
visited,  we  only  considered  standards  that  are  worded  as  mandatory  measures  that  “must” 
be  taken. 

35DS  does  fund  perimeter  barriers  and  some  access  control  measures  for  certain 
residences. 


Page  20 


GAO-15-700  Diplomatic  Security 


some  access  control  measures  at  government-owned  residences  and 
certain  leased  residences.36 


Table  2:  DS  and  OBO  Allocations  for  Residential  Security  Upgrades,  Fiscal  Years  2010-2015 


Dollars  in  millions 


2010 

2011 

2012 

2013 

2014 

2015 

Total 

Bureau  of  Diplomatic  Security  (DS) 

14.4 

10.3 

14.9 

14.4 

89. 4a 

21.0 

164.4 

Bureau  of  Overseas  Buildings  Operations  (OBO)b 

2.0 

1.5 

1.0 

0.5 

1.0 

0.5 

6.5 

Total 

16.4 

11.8 

15.9 

14.9 

90.4 

21.5 

170.9 

Source:  GAO  analysis  of  Department  of  State  data.  |  GAO-15-700 


aThe  fiscal  year  2014  figure  for  DS  includes  $62.8  million  in  Overseas  Contingency  Operations 
funding  for  residential  security  upgrades  to  the  Diplomatic  Transit  Facility  in  Sana’a,  Yemen. 

bOBO  figures  do  not  include  residential  security  upgrades  that  OBO  sometimes  installs  as  part  of  the 
renovation  and  new  construction  of  residences  because  OBO  officials  told  us  that  it  is  not  possible  to 
disaggregate  the  cost  of  security  upgrades  from  the  total  cost  of  such  projects. 


In  some  cases,  RSOs  may  determine  that  the  OSPB  residential  security 
standards  applicable  at  their  posts  are  not  stringent  enough  to  address 
threat  conditions.  In  such  instances,  the  RSO,  in  consultation  with  the 
post’s  Emergency  Action  Committee,  may  seek  to  implement  security 
measures  that  go  above  the  standards.37  If  an  owner  or  landlord  does  not 
agree  to  install  a  security  measure  that  goes  above  the  standards,  the 
post  may  choose  to  request  funding  from  DS.  For  example,  DS  officials 
told  us  that  they  approved  a  request  for  funding  to  install  additional 
security  measures  at  a  post  where  single  family  homes  were  meeting  all 
the  applicable  standards  but  were  still  experiencing  break-ins. 


36OBO  officials  told  us  that  OBO  sometimes  also  installs  residential  security  upgrades  as 
part  of  the  renovation  and  new  construction  of  residences,  but  that  it  is  not  possible  to 
disaggregate  the  cost  of  security  upgrades  from  the  total  cost  of  such  projects. 

37The  Emergency  Action  Committee  is  a  group  of  subject  matter  experts  at  each  post  that 
provides  the  ambassador  or  principal  officer  with  guidance  to  prepare  for  and  respond  to 
threats,  emergencies,  and  other  crises  at  the  post  or  against  U.S.  interests  elsewhere. 


Page  21 


GAO-15-700  Diplomatic  Security 


More  Than  Half  of  the  68 
Residences  We  Visited 
Did  Not  Meet  All 
Mandatory  Standards;  DS 
Had  an  Exception  on  File 
for  1 


Diplomatic  residences  are  required  to  meet  OSPB  security  standards.38 
The  FAH  and  the  FAM  state  that  when  residences  do  not  meet  and 
cannot  be  made  to  meet  the  applicable  standards,  and  no  other 
acceptable  alternatives  are  available,  posts  are  required  to  request 
exceptions  to  the  standards  from  DS  headquarters.39  According  to  State, 
exception  requests  are  required  to  identify  the  steps  posts  will  take  to 
mitigate  vulnerabilities,  and  approved  exceptions  serve  to  document 
State’s  acceptance  of  any  unmitigated  risk  that  remains.  DS  officials 
clarified  that  posts  are  required  to  apply  for  exceptions  for  any  unmet 
standards  that  are  worded  in  terms  of  mandatory  measures  that  “must”  be 
taken.40  However,  more  than  half  of  the  residences  we  reviewed  at  the 
seven  posts  we  visited  did  not  meet  all  applicable  mandatory  security 
standards  and  lacked  required  exceptions  to  those  standards.  Of  the  68 
residences  we  reviewed  at  the  seven  posts,  38  did  not  meet  all  of  the 
mandatory  standards  applicable  to  them  at  the  time  even  though, 
according  to  post  officials,  most  of  the  38  received  security  upgrades  in 
recent  years.41  Moreover,  23  of  the  38  residences  did  not  meet  two  or 
more  of  the  mandatory  standards. 

When  we  discussed  the  unmet  standards  we  found  with  RSOs  and  other 
post  officials,  they  generally  agreed  with  our  assessments  and  stated  in 
several  cases  that  they  would  take  steps  to  address  the  vulnerabilities.  In 
some  cases,  though,  post  officials  were  unable  to  provide  explanations 
for  unmet  standards.  For  instance,  although  3  of  the  4  off-compound 
principal  officer  residences  we  visited  did  not  have  grilles  on  all 
accessible  windows  as  required — thereby  creating  vulnerabilities  at  these 
potentially  high-profile  targets — officials  could  not  explain  why  grilles  were 
missing  other  than  to  suggest  that  current  principal  officers  and  their 
predecessors  may  have  wanted  to  leave  certain  windows  without  grilles 
for  aesthetic  purposes.  In  addition,  two  factors  discussed  earlier  in  this 


3812  FAM  330. 

3912  FAH-6  FI-130  and  12  FAM  470. 

40By  contrast,  DS  officials  told  us  that  if  an  unmet  standard  is  not  a  mandatory  measure 
that  “must”  be  taken,  no  exception  to  the  standard  is  needed. 

41 

Of  the  68  residences  we  reviewed,  12  were  on-compound  residences,  and  56  were  off- 
compound  residences.  Of  the  56  off-compound  residences,  9  were  off-compound 
residences  acquired  on  or  after  July  1, 2014.  Thus,  at  the  time  of  our  visit,  these 
residences  were  subject  to  new  residential  security  standards  to  address  terrorism  issued 
in  May  2014.  The  remaining  47  off-compound  residences  were  acquired  prior  to  July  1, 
2014,  and  thus  were  subject  to  older  standards. 


Page  22 


GAO-15-700  Diplomatic  Security 


Nearly  All  of  the  Residences 
We  Visited  That  Did  Not  Meet 
All  Mandatory  Standards  Were 
Missing  Required  Exceptions 


report  may  contribute  to  unmet  standards.  First,  missing  or  outdated 
residential  security  surveys  may  hamper  posts’  ability  to  identify  and 
address  residential  security  vulnerabilities  that  could  have  otherwise  been 
recognized  and  corrected.  Second,  the  difficult-to-use  nature  of  the  OSPB 
standards  and  other  security-related  guidance  for  residences  can 
complicate  RSOs’  efforts  to  identify  and  apply  the  appropriate  security 
measures. 

Of  the  38  residences  we  reviewed  that  did  not  meet  all  of  the  applicable 
mandatory  standards,  DS  had  an  exception  on  file  for  only  1.  In  some 
cases,  such  as  residences  with  doors  lacking  deadbolt  locks  or 
peepholes,  DS  officials  told  us  that  relatively  little  effort  or  funding  would 
be  needed  to  bring  the  residence  into  compliance  with  the  standards  and 
thereby  eliminate  the  need  for  an  exception.  However,  many  of  the  38 
residences  that  did  not  meet  all  of  the  applicable  mandatory  standards 
had  more  significant  vulnerabilities.  For  instance,  as  noted  earlier,  3  of  the 
4  off-compound  principal  officer  residences  we  visited  did  not  meet  the 
standard  that  all  accessible  windows  must  have  grilles  when  such 
residences  are  located  at  posts  rated  high  for  political  violence  or  crime; 
DS  did  not  have  exceptions  for  any  of  the  3.  Likewise,  5  of  the  7  off- 
compound  apartments  acquired  after  July  1,  2014 — and  therefore  subject 
to  the  new  May  2014  standards — did  not  have  perimeter  barriers 
surrounding  them  as  required  by  the  standards;  none  of  the  5  had 
exceptions. 

We  found  that  required  exceptions  for  residences  were  missing  for  three 
key  reasons.  First,  posts  do  not  always  request  exceptions  when  they  are 
needed.  For  example,  of  the  3  posts  where  off-compound  principal  officer 
residences  lacked  some  window  grilles,  none  had  requested  exceptions 
to  this  unmet  standard.  DS  headquarters  officials  told  us  that  State’s 
guidance  for  posts  on  how  to  request  residential  security  exceptions  has 
historically  been  limited  and  vague,  which,  according  to  them,  may 
explain  why  posts  do  not  always  request  exceptions  when  they  are 
needed.  In  cases  where  residences  acquired  since  July  1,  2014,  did  not 
meet  all  of  the  standards  issued  in  May  2014,  the  lack  of  exceptions  is 
understandable,  given  that  the  posts  acquired  the  residences  before 
being  notified  of  the  new  standards  in  October  2014.  In  other  cases, 
though,  the  residences  in  question  had  been  acquired  several  years  or 
even  decades  prior,  and  the  standards  we  found  that  they  were  not 
meeting  had  also  been  in  existence  for  years. 

Second,  until  recently,  State  guidance  on  exceptions  did  not  clearly 
identify  the  roles  and  responsibilities  of  key  offices  involved  in  managing 


Page  23 


GAO-15-700  Diplomatic  Security 


the  exception  process,  leading  to  confusion  within  DS  headquarters  and 
potentially  at  posts  as  well.  In  2007,  State  established  FAM  guidance 
identifying  an  office  within  DS’s  Directorate  for  International  Programs 
(DS/IP)  as  the  office  responsible  for  managing  the  residential  security 
exception  process.42  DS  officials  explained  that,  in  practice,  a  different 
office  within  DS’s  Directorate  for  Countermeasures  (DS/C)  has  handled 
residential  exception  requests  since  the  late  1980s  and,  because  of 
limited  staffing  in  DS/IP,  continued  to  do  so  even  after  State  guidance 
named  DS/IP  as  the  responsible  office  in  2007.  However,  State  did  not 
revise  the  FAM  guidance  to  identify  DS/C  as  the  responsible  office. 
Subsequently,  in  August  2014,  DS  provided  us  with  a  written  response 
stating  that,  as  of  that  date,  it  had  not  received  any  requests  for 
residential  security  exceptions.  We  subsequently  learned  the  written 
response  was  drafted  by  DS/IP,  which  was  unaware  that  DS/C  had  been 
receiving  and  processing  exception  requests  for  residences  since  the  late 
1980s.  Since  that  time,  the  two  offices  have  clarified  their  roles  and 
responsibilities  with  respect  to  residential  security  exceptions. 

Specifically,  officials  told  us  in  April  2015  that  DS/C  is  now  handling  all 
exception  requests  related  to  setback,  while  DS/IP  is  handling  all  other 
exception  requests. 

Third,  weaknesses  exist  in  DS’s  tracking  of  exceptions.  The  FAM  states 
that  State  documentation  should  be  complete  to  the  extent  necessary  to 
facilitate  decision  making.43  However,  we  found  weaknesses  that  raise 
questions  about  the  completeness  of  DS’s  documentation  on  exceptions. 
For  example,  a  list  DS  provided  in  response  to  our  request  for  data  on  all 
residential  security  exceptions  only  shows  exceptions  to  the  setback 
standard.  As  noted  earlier,  DS  had  an  exception  on  file  for  1  of  the  38 
residences  we  reviewed  that  did  not  meet  all  of  the  applicable  mandatory 
standards.  In  reviewing  the  exception  package  for  that  residence,  we 
noted  that  the  post  requested — and  received  approval  for — exceptions  to 
four  different  standards.  The  exception  package  also  lists  mitigation 
actions  the  post  plans  to  take.  DS’s  list  mentions  that  an  exception  was 
granted  to  the  setback  standard,  but  it  does  not  mention  any  of  the  other 
three  standards  to  which  DS  granted  exceptions  or  the  planned  mitigation 
actions.  In  addition,  while  the  list  DS  provided  identifies  the  post  that 
requested  each  exception,  it  does  not  identify  the  specific  residence  for 


4212  FAM  330. 
435  FAM  420. 


Page  24 


GAO-15-700  Diplomatic  Security 


which  the  exception  was  requested.  DS  officials  stated  that  in  order  to 
identify  the  specific  residence  for  which  a  given  exception  was  requested 
and  approved,  they  would  have  to  locate  the  paper  copy  of  the  exception 
package — a  potentially  time-consuming  task  given  that,  according  to  DS 
officials,  the  paper  copies  of  residential  exception  packages  are 
commingled  with  thousands  of  exception  packages  for  office  facilities 
dating  back  as  far  as  1986.  Because  of  these  weaknesses,  DS’s  list  has 
limited  utility  in  helping  DS  and  posts  understand  which  residences  may 
have  security  vulnerabilities  stemming  from  unmet  standards. 

While  DS  is  taking  steps  to  improve  its  guidance  and  tracking  for 
exceptions,  it  is  unclear  if  the  planned  improvements  will  fully  address  the 
factors  that  have  contributed  to  missing  exceptions.  DS  officials  told  us 
that  as  part  of  their  ongoing  update  to  the  Residential  Security  Handbook, 
they  will  be  providing  additional  guidance  for  RSOs  on  how  to  submit 
requests  for  exceptions.  Since  that  initiative  is  still  in  development,  it  is 
too  early  to  assess  its  effectiveness.  Additionally,  DS/C  officials  told  us 
that  they  have  begun  converting  paper  copies  of  exception  packages  they 
have  processed  to  electronic  form — a  task  they  estimate  will  take  about  5 
months — and  both  DS/IP  and  DS/C  have  developed  databases  to  record 
exception  requests.  As  noted  earlier,  the  FAM  calls  for  State 
documentation  to  be  complete  to  the  extent  necessary  to  facilitate 
decision  making;44  however,  neither  office  currently  plans  for  its  database 
to  include  all  of  the  exceptions  processed  by  the  other  office. 
Consequently,  DS  may  lack  a  complete  picture  of  all  the  residential 
exceptions  it  has  processed — valuable  information  that  could  help  it  better 
understand  the  types  of  security  vulnerabilities  at  residences  and  thus 
make  better  informed  risk  management  decisions. 


445  FAM  420. 


Page  25 


GAO-15-700  Diplomatic  Security 


New,  More  Rigorous 
Security  Standards  Will 
Likely  Increase  Posts’ 
Need  for  Exceptions  and 
Lead  to  Considerable 
Costs  for  Upgrades 


In  addition  to  reviewing  residences  against  the  mandatory  security 
standards  applicable  to  them  at  the  time  of  our  visit,  we  also  reviewed 
them  using  the  new  May  2014  standards  in  order  to  assess  the  impact 
these  standards  will  have  on  posts,  DS  headquarters,  and  future  State 
funding  requests.  As  discussed  earlier,  by  July  2017,  all  off-compound 
residences  will  be  required  to  meet  the  new  standards  to  address 
terrorism.  If  the  residences  do  not  meet  the  standards  and  cannot  be 
upgraded  to  meet  them,  posts  will  be  required  to  apply  for  exceptions.45 
DS  officials  indicated  that  the  new  standards  are  more  rigorous  than  the 
previous  ones  and  that  many  existing  residences  may  be  unable  to  meet 
them.  Overall,  55  of  the  56  off-compound  residences  we  reviewed  did  not 
meet  all  of  the  new  standards,  including  49  residences  that  did  not  meet 
two  or  more.46  As  a  result  of  the  new  standards,  DS  officials  expect  the 
need  for  posts  to  apply  for  exceptions  to  increase.  For  example,  officials 
at  one  post  told  us  that  they  do  not  believe  it  will  be  possible  for  any  of  the 
approximately  300  apartments  occupied  by  U.S.  personnel  at  that  post — 
or  for  other  apartments  available  at  their  post — to  meet  the  new 
mandatory  standard  of  a  perimeter  barrier  surrounding  the  building.  In 
other  cases,  it  will  be  possible  to  upgrade  existing  residences  to  meet  the 
new  standards,  but  the  associated  costs  may  be  considerable.  For 
instance,  RSO  officials  at  the  post  with  about  300  apartments  stated  that 
they  will  need  to  install  alarms  and  residential  safe  havens  to  meet  the 
new  standards,  at  a  cost  of  approximately  $3,000  per  residence.  They 
added  that  it  is  unlikely  that  current  landlords  will  agree  to  pay  for  these 
upgrades.  The  2014  Security  Environment  Threat  List  indicates  that 
nearly  45  of  the  275  U.S.  diplomatic  posts  worldwide  have  higher  threat 
ratings  for  terrorism  than  for  political  violence  and  crime  and  thus  will 
likely  have  to  adopt  additional  security  measures — potentially  at 
significant  cost  to  the  U.S.  government — in  order  to  meet  the  new 
standards  to  address  terrorism.  Furthermore,  additional  upgrades — and 
thus  additional  funding — will  likely  be  needed  as  posts  take  steps  to  apply 
the  new  standards  for  existing  on-compound  housing,  which,  according  to 


4512  FAH-6  H-130. 

460f  the  56  off-compound  residences  we  reviewed,  47  were  acquired  prior  to  July  1, 2014; 
thus,  at  the  time  of  our  visit,  they  were  not  yet  subject  to  the  new  residential  security 
standards  to  address  terrorism  issued  in  May  2014,  but  they  will  have  to  meet  those 
standards  within  3  years.  The  remaining  9  off-compound  residences  we  visited  (7 
apartments  and  2  single  family  homes)  were  acquired  on  or  after  July  1, 2014;  thus,  at  the 
time  of  our  visit,  they  were  already  subject  to  the  new  standards  issued  in  May  2014. 


Page  26 


GAO-15-700  Diplomatic  Security 


DS  officials,  are  also  more  rigorous  than  the  standards  that  preceded 
them. 

DS  headquarters  officials  told  us  that  because  of  our  inquiries  about  the 
implications  of  the  new  standards  to  address  terrorism — such  as  the 
financial  cost  of  meeting  them — they  had  decided  to  conduct  a  survey  of 
posts  to  assess  the  extent  to  which  each  one  currently  meets  the  new 
standards.  According  to  these  officials,  the  results  of  the  survey  will  help 
them  estimate  the  cost  of  upgrades  needed  to  meet  the  new  standards 
and  will  provide  them  with  valuable  information  on  the  types  of 
vulnerabilities  that  currently  exist  at  residences.  They  stated  that  they 
anticipate  the  survey  may  also  help  them  determine  how  much  time  it  will 
take  to  review  and  process  posts’  requests  for  exceptions.  DS  officials 
added  that  they  plan  to  send  the  survey  to  posts  in  May  2015. 


State  Has  Taken 
Steps  to  Manage 
Risks  to  Schools  and 
Other  Soft  Targets, 
but  Its  Efforts  May  Be 
Constrained  by 
Limited  Awareness  of 
Relevant  Guidance 
and  Tools 


State’s  efforts  to  protect  U.S.  personnel  and  their  families  at  schools  and 
other  soft  targets  include  funding  physical  security  upgrades,  providing 
threat  information  and  security-related  advice,  and  conducting  security 
surveys  of  various  soft  target  facilities.  However,  RSOs  at  most  of  the 
accompanied  posts  we  visited  were  unaware  of  some  guidance  and  tools 
for  securing  these  facilities.47  As  a  result,  State  may  not  be  taking  full 
advantage  of  its  programs  and  resources  for  managing  risks  at  schools 
and  other  soft  targets. 


470ne  of  the  seven  posts  we  visited  was  an  “unaccompanied  post” — a  post  deemed  too 
dangerous  for  diplomatic  personnel  to  be  accompanied  by  their  families.  We  do  not  include 
that  post  in  our  discussion  of  State  efforts  to  secure  schools  attended  by  U.S.  government 
dependents. 


Page  27 


GAO-15-700  Diplomatic  Security 


State  Funds  Security 
Upgrades,  Shares  Threat 
Information,  and  Conducts 
Security  Surveys  to 
Manage  Risks  to  Schools 
and  Other  Soft  Targets 


State  has  taken  a  variety  of  actions  to  manage  risks  to  schools  and  other 
soft  targets.  These  actions  fall  into  three  main  categories:  (1)  funding 
security  upgrades  at  K-12  schools  with  enrolled  U.S.  government 
dependents  and  off-compound  employee  association  facilities,  (2)  sharing 
threat  information  and  providing  advice  for  mitigating  threats  at  schools 
and  other  soft  targets,  and  (3)  conducting  security  surveys  to  identify  and 
manage  risks  to  schools  and  other  soft  targets. 


First,  in  2003,  State  developed  a  multiphase  initiative  known  as  the  Soft 
Target  Program  to  protect  U.S.  personnel  and  their  families  at  schools 
and  off-compound  employee  association  facilities.48  With  respect  to 
schools,  the  Soft  Target  Program  funds  physical  security  upgrades  at 
existing  K-12  schools  with  enrolled  U.S.  government  dependents. 
Program  funding  was  initially  limited  to  “American-sponsored”  schools 
that  receive  State  assistance.  Subsequently,  eligibility  for  program 
funding  was  expanded  to  non-American-sponsored  schools  that  enroll 
U.S.  dependents  or  are  expected  to  enroll  such  students  within  the  next  6 
months,  in  fiscal  years  2010  through  2015,  State  allocated  almost  $28 
million  for  security  upgrades  through  the  Soft  Target  Program  (see  table 
3).  State  has  used  approximately  $23.8  million  of  these  allocations  to 
award  almost  400  grants  for  specific  upgrades.  Of  these  awards, 
approximately  97  percent  ($23.1  million  of  $23.8  million)  went  to  schools, 
with  the  remaining  3  percent  provided  for  off-compound  employee 
association  facilities.  According  to  State  documentation,  since  the  Soft 
Target  Program  began  in  2003,  State  has  provided  schools  with  more 
than  $100  million  for  physical  security  upgrades.  American-sponsored 
schools  received  $63  million  of  this  funding;  other  schools  received  the 
remaining  $38  million. 


Table  3:  Allocations  for  Security  Upgrades  from  Soft  Target  Program,  Fiscal  Years  2010-2015 

Dollars  in  millions 

2010  2011  2012  2013  2014 

2015 

Total 

Soft  Target  Program3  6.5  5.0  4.0  4.0  4.1 

4.1 

27.7 

Source:  Department  of  State.  |  GAO-15-700 


aThe  Soft  Target  Program  is  funded  out  of  the  Embassy  Security,  Construction,  and  Maintenance 
appropriation. 


AQ 

We  previously  reported  on  this  program  in  May  2005.  See  GAO-05-642. 


Page  28 


GAO-15-700  Diplomatic  Security 


At  the  posts  we  visited,  RSOs  had  worked  with  schools  to  identify 
physical  security  needs  and  obtain  funding  for  upgrades  such  as  walls, 
guard  booths,  public  address  systems,  and  window  grilles.  In  addition  to 
school  security  upgrades,  we  also  saw  Soft  Target  Program-funded 
security  upgrades  at  employee  association  facilities,  such  as  closed- 
circuit  television  systems,  perimeter  walls,  and  access  control  systems. 
Overall,  RSOs  and  school  administrators  told  us  they  were  pleased  with 
the  upgrades.  However,  State  does  not  operate  or  control  the  schools 
eligible  for  Soft  Target  Program  upgrades;  as  a  result,  the  extent  to  which 
eligible  schools  cooperate  with  posts  on  security-related  issues  depends 
on  the  willingness  of  the  schools’  administrators. 

Second,  State  officials  help  manage  risks  to  schools  and  other  soft 
targets  by  sharing  threat  information  and  providing  advice  on  how  to 
mitigate  such  threats.  RSO  outreach  to  schools  at  the  posts  we  visited 
included  sharing  information  related  to  specific  threats,  such  as  apprising 
school  administrators  about  the  recent  posting  on  a  jihadist  website 
calling  for  attacks  on  western-affiliated  teachers  and  schools  in  the  Middle 
East.  In  addition,  at  one  post  architects  designing  a  new  American- 
sponsored  school  cited  security  advice  provided  by  the  RSO  as  the 
impetus  for  them  to  undertake  a  more  security-conscious  redesign.  RSOs 
at  all  the  accompanied  posts  we  visited  stated  that  they  also  share  local 
threat  information  with  schools  and  others  outside  the  U.S.  government. 
Additionally,  RSOs  we  met  with  told  us  that  they  communicate  with 
security  officials  at  British,  Canadian,  and  other  embassies  in  the  area 
they  cover  to  help  deter  attacks  on  soft  targets  by  raising  overall  threat 
awareness. 

Third,  RSOs  conduct  security  surveys  to  help  identify  and  manage  risks 
to  schools  and  other  soft  targets.  Although  State  does  not  control  schools, 
hotels,  or  hospitals  overseas,  RSOs  at  all  the  accompanied  posts  we 
visited  had  conducted  security  surveys  of  such  facilities.  State  is  currently 
in  the  process  of  developing  security  standards  for  off-compound 
employee  association  facilities  in  response  to  our  June  2014 
recommendation  that  State  develop  physical  security  standards  for 
facilities  not  covered  by  existing  standards.49 


49GAO-1 4-655. 


Page  29 


GAO-15-700  Diplomatic  Security 


Awareness  of  Some  State 
Guidance  and  Tools  for 
Securing  Schools  and 
Other  Soft  Targets  Is 
Limited 


Federal  internal  control  standards  call  for  agencies  to  communicate  the 
information  necessary  for  conducting  the  agency’s  operations  to  those 
within  the  entity  responsible  for  carrying  out  these  activities  in  a  form  and 
time  frame  that  allows  them  to  carry  out  their  responsibilities.50  State  has 
established  guidance  for  RSOs  regarding  the  security  of  schools  and 
other  soft  targets  as  well  as  tools  to  assist  RSOs’  security-related 
outreach  with  schools,  but  half  of  the  RSOs  we  met  with  at  the  six 
accompanied  posts  stated  that  the  only  guidance  or  tools  they  were 
aware  of  with  respect  to  schools  and  soft  targets  was  a  cable  with 
information  on  the  types  of  items  that  can  be  funded  through  the  Soft 
Target  Program.  One  post  was  using  an  outdated  version  of  this  cable. 
Additionally,  two  RSOs  described  the  cable  as  lacking  sufficient  detail  on 
the  specific  types  of  upgrades  allowed  and  disallowed.  Additional  Soft 
Target  Program  guidance  does  exist  in  the  FAM — including  details  on 
grant  eligibility  and  the  roles,  responsibilities,  procedures,  and 
requirements  related  to  project  development  and  implementation — but  the 
relevant  FAM  subchapter  was  not  mentioned  in  any  of  the  Soft  Target 
Program  cables  we  reviewed,  and  no  RSOs  cited  that  FAM  subchapter  as 
a  source  of  guidance  with  which  they  were  familiar.  OBO  officials  stated 
that  they  believe  the  Soft  Target  Program  cable  provides  RSOs  with  the 
necessary  level  of  information  but  noted  that  they  plan  to  issue  an 
updated  version  of  the  cable  with  additional  detail.  They  also  stated  that 
they  see  value  in  mentioning  the  associated  FAM  subchapter  in  the 
updated  cable. 

With  respect  to  tools,  in  2008,  State’s  Office  of  Overseas  Schools,  DS, 
and  OBO  published  a  booklet — Security  Guide  for  International  Schools — 
and  an  accompanying  CD  to  assist  international  schools  in  designing  and 
implementing  a  security  program.  These  are  tools  that  RSOs  can  offer  to 
all  schools — including  those  otherwise  ineligible  for  upgrades  funded  by 
the  Soft  Target  Program.  However,  RSOs  at  the  majority  of  the  posts  we 
visited  were  unaware  of  this  security  guide,  but  after  we  brought  it  to  their 
attention,  some  stated  that  they  planned  to  share  it  with  schools  at  their 
posts. 

Because  of  limited  awareness  of  the  guidance  and  tools  for  securing 
schools  and  other  soft  targets,  State  may  not  be  fully  leveraging  its 


50GAO/AIMD-O0-21 .3.1 . 


Page  30 


GAO-15-700  Diplomatic  Security 


existing  programs  and  resources  for  addressing  the  security  needs  of 
schools  and  other  soft  targets. 


Conclusions 


Thousands  of  U.S.  diplomatic  personnel  and  their  families  live  in  an 
overseas  environment  that  presents  myriad  security  threats  and 
challenges.  While  State  has  taken  significant  measures  to  enhance 
security  at  its  embassies  and  consulates  since  the  1998  East  Africa 
embassy  bombings,  these  same  actions  have  given  rise  to  concerns  that 
would-be  attackers  may  shift  their  focus  to  what  they  perceive  as  more 
accessible  targets,  such  as  diplomatic  residences,  schools,  and  other 
places  frequented  by  U.S.  personnel  and  their  families.  We  found  that 
State  has  taken  various  steps  to  address  threats  to  residences  and  other 
soft  targets.  For  instance,  over  the  last  6  fiscal  years,  State  allocated 
nearly  $200  million  for  security  upgrades  for  residences,  schools,  and  off- 
compound  employee  association  facilities,  and  it  has  also  made  efforts  to 
modernize  the  physical  security  standards  that  residences  must  meet. 
However,  we  found  vulnerabilities  at  many  of  the  residences  we  reviewed 
and  a  number  of  gaps  or  weaknesses  in  State’s  implementation  of  its  risk 
management  activities.  For  example,  posts  do  not  always  complete 
residential  security  surveys  as  required,  exceptions  are  missing  for  many 
residences  that  require  them,  and  DS’s  tracking  of  exceptions  is 
fragmented  between  two  offices.  As  a  result,  State  lacks  full  awareness  of 
the  vulnerabilities  that  exist  at  residences.  Similarly,  State’s  physical 
security  standards  and  security-related  guidance  for  residences  are 
difficult  to  use,  and  awareness  of  its  guidance  and  tools  for  schools  and 
other  types  of  soft  targets  is  limited.  Each  of  these  issues  is  problematic 
on  its  own,  but  taken  together,  they  raise  serious  questions  about  State’s 
ability  to  make  timely  and  informed  risk  management  decisions  about  soft 
targets.  Until  it  addresses  these  issues,  State  cannot  be  assured  that  the 
most  effective  security  measures  are  in  place  at  a  time  when  U.S. 
personnel  and  their  families  are  facing  ever-increasing  threats  to  their 
safety  and  security. 


Rprnmmpnrlatinn^  fnr  er|hance  state’s  efforts  to  manage  risks  to  residences,  schools,  and 

other  soft  targets  overseas,  we  recommend  that  the  Secretary  of  State 
Executive  Action  direct  DS  to  take  the  following  five  actions: 

1.  Institute  procedures  to  improve  posts’  compliance  with  requirements 
for  conducting  residential  security  surveys. 


Page  31 


GAO-15-700  Diplomatic  Security 


2.  Take  steps  to  clarify  existing  standards  and  security-related  guidance 
for  residences.  For  example,  DS  could  conduct  a  comprehensive 
review  of  its  various  standards  and  security-related  guidance  for 
residences  and  take  steps  to  identify  and  eliminate  gaps  and 
inconsistencies. 

3.  Develop  procedures  for  ensuring  that  all  residences  at  posts  overseas 
either  meet  applicable  standards  or  have  required  exceptions  on  file. 

4.  Ensure  that  DS/IP  and  DS/C  share  information  with  each  other  on  the 
exceptions  they  have  processed  to  help  DS  establish  a  complete 
picture  of  all  residential  security  exceptions  on  file. 

5.  Take  steps  in  consultation  with  OBO  to  ensure  that  RSOs  are  aware 
of  existing  guidance  and  tools  regarding  the  security  of  schools  and 
other  soft  targets.  For  example,  DS  and  OBO  could  modify  the  Soft 
Target  Program  cable  to  reference  the  associated  FAM  subchapter. 


Agency  Comments 


We  provided  a  draft  of  this  report  for  review  and  comment  to  State  and 
the  U.S.  Agency  for  International  Development.  We  received  written 
comments  from  State,  which  are  reprinted  in  appendix  II.  State  agreed 
with  all  five  of  our  recommendations  and  highlighted  a  number  of  actions 
it  is  taking  or  plans  to  take  to  implement  the  recommendations.  The  U.S. 
Agency  for  International  Development  did  not  provide  written  comments 
on  the  report. 


We  are  sending  copies  of  this  report  to  the  appropriate  congressional 
committees,  the  Secretary  of  State,  and  the  Administrator  for  the  U.S. 
Agency  for  International  Development.  In  addition,  the  report  is  available 
at  no  charge  on  the  GAO  website  at  http://www.gao.gov. 

if  you  or  your  staff  have  any  questions  about  this  report,  please  contact 
me  at  (202)  512-8980  or  courtsm@gao.gov.  Contact  points  for  our  Offices 
of  Congressional  Relations  and  Public  Affairs  may  be  found  on  the  last 
page  of  this  report.  GAO  staff  who  made  key  contributions  to  this  report 
are  listed  in  appendix  III. 


Director,  International  Affairs  and  Trade 


Page  32 


GAO-15-700  Diplomatic  Security 


Appendix  I:  Objectives,  Scope,  and 
Methodology 


The  objectives  of  our  report  were  to  evaluate  (1)  how  the  Department  of 
State  (State)  assesses  risks  to  residences  overseas;  (2)  the  timeliness, 
clarity,  and  consistency  of  State’s  security  standards  for  residences;  (3) 
how  State  addresses  security  vulnerabilities  at  residences;  and  (4)  how 
State  manages  risks  to  other  soft  targets  overseas. 

To  address  these  objectives,  we  reviewed  U.S.  laws;  relevant  State 
security  policies  and  procedures  as  found  in  cables,  the  Foreign  Affairs 
Manual  (FAM),  and  the  Foreign  Affairs  Handbooks  (FAH) — in  particular, 
the  Residential  Security  Handbook,  Physical  Security  Handbook, 
Overseas  Security  Policy  Board  (OSPB)  standards,  and  information  and 
guidance  related  to  State’s  residential  security  program  and  Soft  Target 
Program;1  the  Bureau  of  Diplomatic  Security’s  (DS)  threat  and  risk 
ratings,  periodic  assessments  of  post  security  programs,  and  residential 
security  exceptions;  post-specific  documents  pertaining  to  security  of 
residences  and  other  soft  targets;  classified  Accountability  Review  Board 
reports  and  Interagency  Security  Assessment  Team  recommendations; 
and  past  GAO,  State  Office  of  inspector  General,  and  Congressional 
Research  Service  reports.  We  assessed  DS’s  risk  management  practices 
against  its  own  policies  and  standards,  best  practices  identified  by  GAO,2 
and  federal  internal  control  standards.3 

Additionally,  we  reviewed  and  compared  residential  security  standards 
and  other  security-related  guidance  within  the  FAM  and  FAH  to  evaluate 
their  clarity  and  consistency.  We  identified  gaps  and  inconsistencies  in 
relevant  standards  and  security-related  guidance  for  residences  in  the 
course  of  (1)  conducting  an  analysis  of  the  OSPB  standards,  the 
Residential  Security  Handbook,  and  the  Physical  Security  Handbook  to 
develop  our  facility  review  checklists  and  (2)  discussing  the  guidance  with 
knowledgeable  State  officials.  Because  it  was  beyond  the  scope  of  this 
engagement  to  systematically  review  all  residential  security  standards 


^2  FAH-8  (Residential  Security  Handbook),  12  FAH-5  (Physical  Security  Handbook),  12 
FAH-6  (OSPB  security  standards),  12  FAM  470  (Residential  Security  Program),  12  FAM 
420  (Post  Security  Management),  and  15  FAM  640  (Approvals  Required  for  Repairs  and 
Improvements). 

2See  GAO,  Executive  Guide:  Effectively  Implementing  the  Government  Performance  and 
Results  Act,  GAO/GGD-96-1 18  (Washington,  D.C.:  June  1996). 

3See  GAO,  Standards  for  Internal  Control  in  the  Federal  Government, 

GAO/AIM D-00-21 .3.1  (Washington,  D.C.:  November  1999). 


Page  33 


GAO-15-700  Diplomatic  Security 


Appendix  I:  Objectives,  Scope,  and 
Methodology 


and  related  guidance  for  gaps  and  consistencies,  we  cannot  generalize 
our  findings  to  all  standards  and  security-related  guidance  for  residences. 
We  also  evaluated  the  timeliness  of  updates  to  OSPB  residential  security 
standards.  To  do  so,  we  asked  State  to  identify  all  updates  to  the 
residential  security  standards  since  2005  and  to  provide  information  about 
when  the  updates  started  and  were  completed.  We  then  analyzed  how 
long  each  update  took  and  compared  that  against  State  officials’ 
expectation  of  how  long  such  updates  should  take. 

In  addition  to  reviewing  the  documents  above,  we  interviewed  officials  in 
Washington,  D.C.,  from  DS;  the  Bureau  of  Overseas  Buildings  Operations 
(OBO);  State’s  Office  of  Management  Policy,  Rightsizing,  and  Innovation; 
and  the  U.S.  Agency  for  International  Development.  We  also  traveled  to  7 
posts  and  conducted  work  focused  on  3  other  posts.  Our  judgmental 
sample  of  10  posts  included  nine  countries  in  four  of  State’s  six 
geographic  regions — Africa,  the  Near  East,  South  and  Central  Asia,  and 
the  Western  Hemisphere.  Each  of  the  10  posts  was  rated  by  DS  as 
having  a  high  or  critical  threat  level  in  one  or  more  of  the  Security 
Environment  Threat  List  categories  of  political  violence,  terrorism,  and 
crime.  Additionally,  all  but  1  of  the  10  posts  we  selected  were  within  the 
top  75  posts  rated  by  DS  as  the  highest  risk  worldwide;  of  the  10,  7  were 
within  the  top  50,  and  4  were  within  the  top  25.  For  security  reasons,  we 
are  not  naming  the  10  posts  in  our  judgmental  sample.  Our  findings  from 
these  posts  are  not  generalizable  to  all  posts.  Moreover,  our  judgmental 
sample  of  high-threat,  high-risk  posts  cannot  be  generalized  to  other  high- 
threat,  high-risk  posts. 

For  2  of  the  3  posts  in  our  judgmental  sample  that  we  did  not  visit,  we 
reviewed  residential  security  surveys  and  spoke  with  a  Regional  Security 
Officer  (RSO)  regarding  residential  security  measures  in  place  at  the 
posts.  For  the  third  post  we  did  not  visit,  we  requested  RSO  input  on 
recent  security  upgrades  and  any  remaining  vulnerabilities  at  soft  target 
facilities  at  post.  At  the  7  posts  we  visited,  we  met  with  U.S.  government 
officials  from  State  and  other  agencies  involved  in  securing  residences 
and  other  soft  targets — including  RSOs,  general  services  officers, 
financial  management  officers,  facility  managers,  and  members  of  post 
Emergency  Action  Committees  and  Interagency  Housing  Boards — to 
understand  their  respective  roles  related  to  security  of  residences  and 
other  soft  targets  and  their  perspectives  on  State’s  security  policies  and 
procedures  for  these  facilities.  We  also  requested  residential  security 
surveys  for  all  68  residences  in  our  judgmental  selection.  We  evaluated 
the  posts’  records  of  these  surveys  using  the  residential  security  survey 
requirements  outlined  in  the  FAM.  Additionally,  we  reviewed  security 


Page  34 


GAO-15-700  Diplomatic  Security 


Appendix  I:  Objectives,  Scope,  and 
Methodology 


measures  in  place  at  10  schools  attended  by  U.S.  government 
dependents  and  3  off-compound  employee  association  facilities.  Of  the 
10  schools,  6  were  “American-sponsored”  schools  that  receive  State 
assistance;  the  other  4  do  not  receive  State  assistance  but  enroll  U.S. 
government  dependents. 

At  the  7  posts  we  visited,  we  also  evaluated  a  judgmental  selection  of  68 
residences  against  applicable  security  standards.  To  do  so,  we  first  asked 
DS  officials  to  identify  all  sections  of  the  FAH  that  contain  residential 
security  standards.  Based  on  DS’s  input,  we  reviewed  all  of  the  identified 
sections  and  developed  checklists  of  the  residential  security  standards 
applicable  to  each  of  the  following  residence  types:  on-compound 
housing,  off-compound  apartments,  off-compound  single  family  homes, 
off-compound  residential  compounds,  off-compound  Marine  Security 
Guard  residences,  and  off-compound  residences  for  principal  officers. 

The  checklist  for  each  residence  type  included  the  standards  applicable 
to  it  as  of  our  fall  2014  visit,  and  the  checklists  for  off-compound 
residences  also  included  the  new  May  2014  standards  to  address 
terrorism,  which  all  off-compound  residences  have  to  meet  by  July  2017. 
As  noted  earlier  in  this  report,  standards  also  vary  by  date  of  construction 
or  acquisition  and  threat  level.  We  included  these  variations  in  each 
checklist  so  that  for  each  residence  we  visited,  we  could  apply  the  exact 
standards  applicable  to  it  based  on  its  type,  its  date  of  construction  or 
acquisition,  and  the  post  threat  level. 

Our  checklists  included  mandatory  standards  worded  in  terms  of 
measures  that  “must”  be  taken  as  well  as  other  standards,  such  as 
measures  that  are  “recommended”  or  that  “should”  or  will  “ideally”  be 
taken,  among  others.  While  we  used  all  of  these  standards  to  review  the 
residences  we  visited,  the  analysis  presented  in  this  report  only  includes 
mandatory  standards  worded  in  terms  of  measures  that  “must”  be  taken. 
We  did  not  include  other  standards  in  our  analysis  because,  as  discussed 
earlier  in  this  report,  some  of  the  terminology  used  in  those  standards  is 
inconsistent,  making  it  difficult  to  determine  if  a  given  residence  is  in 
compliance  or  not. 

With  regard  to  the  specific  68  residences  reviewed,  we  evaluated  the 
principal  officer’s  residence  at  6  of  7  posts  and  the  Marine  Security  Guard 


Page  35 


GAO-15-700  Diplomatic  Security 


Appendix  I:  Objectives,  Scope,  and 
Methodology 


residence  at  5  of  7  posts.4  The  remaining  57  residences  in  our  judgmental 
selection  represented  a  mix  of  different  types  of  residences  (such  as 
apartments  and  single  family  homes),  on-compound  and  off-compound 
residences,  owned  and  leased  residences,  older  and  newer  residences, 
and  residences  occupied  by  State  officials  and  non-State  officials.  Using 
the  checklists  that  we  developed,  we  reviewed  each  of  the  68  residences 
against  the  mandatory  standards  applicable  to  it  as  of  our  fall  2014  visit; 
in  addition,  we  reviewed  each  of  the  56  off-compound  residences  against 
the  mandatory  standards  in  the  new  May  2014  standards  to  address 
terrorism. 

After  completing  all  68  checklists,  we  categorized  the  mandatory 
standards  into  six  general  categories,  which  we  developed  on  the  basis  of 
our  professional  judgment  as  well  as  our  review  of  the  six  general 
categories  of  security  standards  presented  in  our  June  2014  reporting  on 
the  security  of  diplomatic  work  facilities  overseas.5  Each  category 
included  one  or  more  mandatory  standards.  For  example,  the  category  of 
secure  building  exteriors  included  mandatory  standards  calling  for 
features  such  as  lighting;  substantial  or  grilled  doors  with  peepholes  and 
deadbolt  locks;  and  grilles,  locks,  and  shatter-resistant  film  on  accessible 
windows.  For  the  purposes  of  our  analysis,  if  a  residence  did  not  meet 
one  of  more  of  the  mandatory  standards  in  a  given  category,  we  classified 
the  residence  as  not  meeting  all  mandatory  standards  in  that  category. 

We  used  this  methodology  to  calculate  the  number  of  residences  that  did 
not  meet  all  mandatory  security  standards  applicable  to  them  as  of  fall 
2014  within  each  security  standard  category.  We  used  the  same 
methodology  to  calculate  the  number  of  off-compound  residences  that  did 
not  meet  all  mandatory  standards  within  each  category  of  the  new  May 
2014  standards  to  address  terrorism. 


4We  did  not  evaluate  the  principal  officer’s  residence  at  1  post  because  of  security 
sensitivities.  However,  the  principal  officer’s  residence  was  part  of  an  on-compound 
housing  complex  in  which  the  units  generally  had  identical  security  features,  and  we  did 
evaluate  one  such  unit.  We  did  not  evaluate  Marine  Security  Guard  residences  at  2  posts 
because  at  one  post,  the  residence  was  under  renovation  at  the  time  of  our  visit,  and  at 
the  other  post,  there  was  no  Marine  Security  Guard  residence  since  no  Marines  are 
assigned  to  that  post. 

5GAO,  Diplomatic  Security:  Overseas  Facilities  May  Face  Greater  Risks  Due  to  Gaps  in 
Security-Related  Activities,  Standards,  and  Policies,  GAO-14-655  (Washington,  D.C.: 
June  25,  2014). 


Page  36 


GAO-15-700  Diplomatic  Security 


Appendix  I:  Objectives,  Scope,  and 
Methodology 


To  determine  the  reliability  of  the  data  we  collected  on  overseas 
residences  and  funding  for  security  upgrades  to  residences,  schools 
attended  by  children  of  U.S.  government  personnel,  and  off-compound 
facilities  of  employee  associations,  we  compared  information  from 
multiple  sources,  checked  the  data  for  reasonableness,  and  interviewed 
cognizant  officials  regarding  the  processes  they  use  to  collect  and  track 
the  data.  We  evaluated  the  reliability  of  OBO’s  data  on  overseas 
residential  properties  by  comparing  records  for  specific  residences  from 
OBO’s  system  with  information  we  collected  during  site  visits  to  these 
residences  and  discussions  with  OBO  and  post  officials.  We  evaluated 
the  reliability  of  the  funding  data  we  collected  by  comparing  the  data 
against  prior  GAO  reporting  and  by  interviewing  DS  and  OBO  officials 
familiar  with  State’s  financial  management  system  to  ask  how  the  data 
are  tracked  and  checked  for  accuracy.  On  the  basis  of  these  checks,  we 
determined  that  the  data  we  collected  on  overseas  residences  and 
funding  were  sufficiently  reliable  for  the  purposes  of  this  engagement. 

We  conducted  this  performance  audit  from  July  2014  to  June  2015  in 
accordance  with  generally  accepted  government  auditing  standards. 
Those  standards  require  that  we  plan  and  perform  the  audit  to  obtain 
sufficient,  appropriate  evidence  to  provide  a  reasonable  basis  for  our 
findings  and  conclusions  based  on  our  audit  objectives.  We  believe  that 
the  evidence  obtained  provides  a  reasonable  basis  for  our  findings  and 
conclusions  based  on  our  audit  objectives. 


Page  37 


GAO-15-700  Diplomatic  Security 


Appendix  II:  Comments  from  the  Department 
of  State 


United  States  Department  of  State 

Comptroller 
Washington,  DC  20520 

JUN  2  5  2015 

Dr.  Loren  Yager 
Managing  Director 
International  Affairs  and  Trade 
Government  Accountability  Office 
441  G  Street,  N.W. 

Washington,  D.C.  20548-0001 


Dear  Dr.  Yager: 

We  appreciate  the  opportunity  to  review  your  draft  report, 

“DIPLOMATIC  SECURITY:  State  Department  Should  Better  Manage  Risks  to 
Residences  and  Other  Soft  Targets  Overseas”  GAO  Job  Code  321072. 

The  enclosed  Department  of  State  comments  are  provided  for  incorporation 
with  this  letter  as  an  appendix  to  the  final  report. 

If  you  have  any  questions  concerning  this  response,  please  contact 
Paul  Ginsburg,  Policy  Analyst,  Office  of  the  Executive  Director,  Bureau  of 
Diplomatic  Security  at  (571)  345-9696. 

Sincerely, 


Christopher  H.  Flaggs0 

Enclosure: 

As  stated. 

cc:  GAO  -  Michael  Courts 

DS  —  Gregory  Starr 
State/OIG  -  Norman  Brown 


Page  38 


GAO-15-700  Diplomatic  Security 


Appendix  II:  Comments  from  the  Department 
of  State 


Department  of  State  Comments  on  GAO  Draft  Report 

DIPLOMATIC  SECURITY:  State  Department  Should  Better  Manage  Risks 

to  Residences  and  Other  Soft  Targets  Overseas 

(GAO-15-700,  GAO  Code  321072) 

Thank  you  for  the  opportunity  to  comment  on  your  draft  report  entitled 
“State  Department  Should  Better  Manage  Risks  to  Residences  and  Other  Soft 
Targets  Overseas.”  As  the  only  federal  agency  that  does  such  programs  in  the 
overseas  environment,  the  Department  of  State  stands  by  its  management  record 
for  securing  residences  and  other  soft  targets.  Tire  management  of  residential  and 
soft  target  security  has  been  fully  funded  and  successfully  supported  by  the 
Department  of  State  for  numerous  years  as  a  critical  element  to  the  overall 
embassy  security  posture  and  the  protection  of  U.S.  interests  overseas.  The  report 
includes  five  recommendations  for  the  Department  of  State.  The  Department 
concurs  with  these  recommendations  that  assist  us  in  further  refining  and 
monitoring  our  strong  and  robust  residential  security  and  soft  targets  programs. 

First,  GAO  recommends  that  that  the  Department  of  State’s  Bureau  of 
Diplomatic  Security  (DS)  institute  procedures  to  improve  posts’  compliance  with 
requirements  for  conducting  residential  security  surveys. 

In  response,  the  Department  agrees.  To  continue  to  improve  post’s 
compliance  with  requirements  for  conducting  residential  security  surveys,  DS  will 
institute  a  residential  security  program  (RSP)  reporting  requirement  to  be  codified 
in  12  FAM  425,  whereby  each  regional  security  officer  (RSO)  will  report  annually 
the  status  of  their  post’s  residential  security  program  (RSP).  The  report  will 
include,  for  the  previous  1 2  month  period,  the  number  of  new  residential  properties 
acquired,  the  number  of  new  residential  security  surveys  conducted,  and  the 
number  of  re-surveys  conducted  as  required  for  existing  residences.  In  addition, 
the  report  will  require  the  RSO  to  affirm  that  all  occupied  residences  meet 
applicable  security  standards  or  have  been  granted  exceptions  to  those  standards. 

International  Programs’  Office  of  Overseas  Protective  Operations 
(DS/IP/OPO)  and  Countenneasures  (DS/C),  who  share  residential  security 
responsibilities,  have  begun  working  together  and  are  currently  preparing 
requirements  to  develop  a  Residential  Security  Survey  (RSS)  SharePoint  site  that 
will  provide  three  main  business  objectives: 


Page  39 


GAO-15-700  Diplomatic  Security 


Appendix  II:  Comments  from  the  Department 
of  State 


-2- 

1 )  Provide  newly  developed  on-line  residential  security  survey  templates  for 
the  various  types  of  residences.  This  site  will  collate  all  RSO  residential 
security  surveys  into  one  application  used  by  DS/IP/OPO  and  DS/C  offices. 
The  survey  site  and  templates  will  be  designed  to  contain  all  necessary  tools 
and  information  RSOs  need  to  conduct  an  accurate  residential  security 
survey,  thereby  reducing  the  burden  on  RSOs  to  read  and  comprehend  pages 
of  complex  regulations,  and  develop  their  own  templates. 

2)  Waivers  and  Exceptions  processing  will  be  standardized  between  the 
offices  (DS/IP/OPO  and  DS/C),  an  electronic  form  will  be  provided,  and  all 
waivers  and  exceptions  will  be  collated  into  one  application. 

3)  Improved  oversight  and  program  management:  The  site  will  enable  both 
RSOs  in  the  field  and  headquarters  leadership  to  provide  more  efficient 
oversight  and  management  of  the  residential  security  program  because  the 
surveys,  waivers,  and  exceptions  processes  will  be  on-line  and  viewable  to 
all  program  management  offices  involved.  The  surveys  will  enable 
systematic  identification  of  deficiencies  that  require  waivers  and/or 
exceptions  to  ensure  maximum  compliance. 

Second,  GAO  recommends  that  DS  take  steps  to  clarify  existing  standards 
and  security-related  guidance  for  residences.  For  example,  DS  could  conduct  a 
comprehensive  review  of  its  various  sources  of  standards  and  security-related 
guidance  for  residences  and  take  steps  to  identify  and  eliminate  gaps  and 
inconsistencies. 

In  response,  the  Department  agrees.  DS  will  initiate  a  working  group  to 
conduct  a  comprehensive  review  of  its  various  sources  of  standards  and  security- 
related  guidance  for  residences  and  take  steps  to  identify  and  eliminate  gaps  and 
inconsistencies.  In  the  meantime,  DS  has  published  a  revised  SharePoint  site 
whereby  RSOs  have  been  furnished  with  updated  residential  security  guidance, 
templates,  and  answers  to  frequently  asked  questions.  DS  presented  an  interactive 
“webinar”  with  RSOs  on  the  residential  security  program. 

Third,  GAO  recommends  that  DS  develop  procedures  for  ensuring  that  all 
residences  at  posts  overseas  either  meet  applicable  standards  or  have  required 
exceptions  on  file. 

In  response,  the  Department  agrees.  On  May  7,  RSOs  were  directed  by  DS 
to  update  and  provide  their  Post  Residential  Security  Program  Directives  to  the 


Page  40 


GAO-15-700  Diplomatic  Security 


Appendix  II:  Comments  from  the  Department 
of  State 


-3  - 

International  Programs’  Office  of  Overseas  Protective  Operations  (DS/IP/OPO)  to 
reflect  the  new  residential  security  standards.  RSOs  were  also  directed  to 
implement  the  new  standards  or  request  exceptions  when  necessary  in  order  for  all 
residences  to  meet  the  required  standards  by  July  2017. 

Fourth,  GAO  recommends  that  DS  ensure  that  DS/IP/OPO  and  DS/C  share 
information  with  one  another  on  the  exceptions  they  have  processed  to  help  DS 
establish  a  complete  picture  of  all  residential  security  exceptions  on  file.  In 
response.  State  agrees.  As  noted  above,  DS  directorates  are  also  developing  the 
requirements  for  a  single  database  to  capture  all  residential  security  surveys, 
exceptions,  and  waivers. 

The  site  will  enable  RSOs  in  the  field  and  DS  offices  to  provide  more 
efficient  oversight  and  management  of  the  residential  security  program.  All 
surveys,  waivers,  and  exceptions  processes  will  be  on-line  and  viewable  to  all 
program  management  offices  involved.  The  surveys  will  enable  systematic 
identification  of  deficiencies  that  require  waivers  and/or  exceptions  to  ensure 
maximum  compliance. 

Fifth,  GAO  recommends  that  DS  takes  steps  in  consultation  with  Overseas 
Buildings  Operations  (OBO)  to  ensure  that  RSOs  are  aware  of  existing  guidance 
and  tools  regarding  the  security  of  schools  and  other  nonresidential  soft  targets.  For 
example,  DS  and  OBO  could  modify  the  Soft  Target  Program  cable  to  reference 
the  Foreign  Affairs  Manual  (FAM)  subchapter. 

In  response,  the  Department  agrees.  DS/C  will  coordinate  with  OBO  to 
include  in  the  next  Soft  Target  Program  cable  references  to  the  FAM  subchapter 
and  also  links  to  the  RSO  Toolkit,  which  contains  the  Physical  Security  and  Soft 
Targets  program  training  materials  RSO  received  during  preparatory  training  for 
overseas  assignment. 

In  conclusion,  the  Department  thanks  the  GAO  for  this  constructive  audit 
and  will  promptly  implement  the  above  recommendations  to  better  prepare  to 
operate  more  effectively  in  the  future. 


Page  41 


GAO-15-700  Diplomatic  Security 


Appendix  III:  GAO  Contact  and  Staff 
Acknowledgments 


GAO  Contact 


Michael  J.  Courts,  (202)  512-8980  or  courtsm@gao.gov 


Staff 

Acknowledgments 


In  addition  to  the  contact  named  above,  Thomas  Costa  (Assistant 
Director),  Joshua  Akery,  Amanda  Bartine,  John  Bauckman,  Tina  Cheng, 
Aniruddha  Dasgupta,  David  Dayton,  Martin  De  Alteriis,  Jonathan 
Fremont,  Grace  Lui,  and  Candice  Wright  made  key  contributions  to  this 
report. 


(321072) 


Page  42 


GAO-15-700  Diplomatic  Security 


GAO’s  Mission 

The  Government  Accountability  Office,  the  audit,  evaluation,  and 
investigative  arm  of  Congress,  exists  to  support  Congress  in  meeting  its 
constitutional  responsibilities  and  to  help  improve  the  performance  and 
accountability  of  the  federal  government  for  the  American  people.  GAO 
examines  the  use  of  public  funds;  evaluates  federal  programs  and 
policies;  and  provides  analyses,  recommendations,  and  other  assistance 
to  help  Congress  make  informed  oversight,  policy,  and  funding  decisions. 
GAO’s  commitment  to  good  government  is  reflected  in  its  core  values  of 
accountability,  integrity,  and  reliability. 

Obtaining  Copies  of 
GAO  Reports  and 
Testimony 

The  fastest  and  easiest  way  to  obtain  copies  of  GAO  documents  at  no 
cost  is  through  GAO’s  website  (http://www.gao.gov).  Each  weekday 
afternoon,  GAO  posts  on  its  website  newly  released  reports,  testimony, 
and  correspondence.  To  have  GAO  e-mail  you  a  list  of  newly  posted 
products,  go  to  http://www.gao.gov  and  select  “E-mail  Updates.” 

Order  by  Phone 

The  price  of  each  GAO  publication  reflects  GAO’s  actual  cost  of 
production  and  distribution  and  depends  on  the  number  of  pages  in  the 
publication  and  whether  the  publication  is  printed  in  color  or  black  and 
white.  Pricing  and  ordering  information  is  posted  on  GAO’s  website, 
http://www.gao.gov/ordering.htm. 

Place  orders  by  calling  (202)  512-6000,  toll  free  (866)  801-7077,  or 

TDD  (202)  512-2537. 

Orders  may  be  paid  for  using  American  Express,  Discover  Card, 
MasterCard,  Visa,  check,  or  money  order.  Call  for  additional  information. 

Connect  with  GAO 

Connect  with  GAO  on  Facebook,  Flickr,  Twitter,  and  YouTube. 

Subscribe  to  our  RSS  Feeds  or  E-mail  Updates.  Listen  to  our  Podcasts. 
Visit  GAO  on  the  web  at  www.gao.gov. 

To  Report  Fraud, 
Waste,  and  Abuse  in 
Federal  Programs 

Contact: 

Website:  http://www.gao.gov/fraudnet/fraudnet.htm 

E-mail:  fraudnet@gao.gov 

Automated  answering  system:  (800)  424-5454  or  (202)  512-7470 

Congressional 

Relations 

Katherine  Siggerud,  Managing  Director,  siggerudk@gao.gov,  (202)  512- 
4400,  U.S.  Government  Accountability  Office,  441  G  Street  NW,  Room 
7125,  Washington,  DC  20548 

Public  Affairs 

Chuck  Young,  Managing  Director,  youngd@gao.gov,  (202)  512-4800 

U.S.  Government  Accountability  Office,  441  G  Street  NW,  Room  7149 
Washington,  DC  20548 

Please  Print  on  Recycled  Paper. 

